DSB (Austria) - 2021-0.518.795

From GDPRhub
Revision as of 10:13, 10 March 2022 by Hha (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
DSB (Austria) - 2021-0.518.795
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 4(2) GDPR
Article 4(7) GDPR
Article 4(10) GDPR
Article 4(15) GDPR
Article 5(1)(f) GDPR
Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 9(1) GDPR
Article 9(2) GDPR
Article 9(2)(f) GDPR
Article 83(1) GDPR
Article 83(2)(b) GDPR
Article 83(5)(a) GDPR
Art 7 CFR
§ 1489 General Civil Code (Allgemeines Bürgerliches Gesetzbuch - ABGB)
Type: Other
Outcome: n/a
Started:
Decided: 05.08.2021
Published: 20.12.2021
Fine: 600 EUR
Parties: unnkown individual (controller and perpetrator)
National Case Number/Name: 2021-0.518.795
European Case Law Identifier: ECLI:AT:DSB:2021:2021.0.518.795
Appeal: Unknown
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in DE)
Initial Contributor: n/a

The Austrian DPA imposed a fine of €600 on an individual for unlawfully disclosing the medical data of a data subject to the latter's employer.

English Summary[edit | edit source]

Facts[edit | edit source]

Person A is employed at a municipality and has been on sick leave for several weeks in 2013 and 2014. In September 2014, the municipality concluded that Person A's sickness had been caused by another individual (Person B) who was then asked for damages. In another proceeding between Person A and Person B, the latter obtained a medical assessment concerning Person A's state of health. According to Person B's view, this document would have proved the municipality's claim wrong. The document was therefore shared with the municipality (even though no further steps had been taken following the initial claim). For this reasons, Person B is considered controller of Person A's personal data.

Holding[edit | edit source]

The DPA held that there was no legal basis under Article 9(2) GDPR for sending the medical assessment, which contained health data under Article 14 GDPR#15Article 4(15) GDPR, to the municipality. In particular, the controller could not invoke Article 9(2)(f) GDPR ("necessary for the establishment, exercise or defence of legal claims") because i) the municipality had taken no further steps to claim damages from the controller since September 2014 and ii) the claim had already been time-barred under § 1489 General Civil Code (Allgemeines Bürgerliches Gesetzbuch - ABGB) since more than three years had passed since the event that allegedly caused the damage (harming behaviour towards the data subject).

Consequently, the DPA held that the disclosure of the data subject's health data were not necessary "for the establishment, exercise or defence of legal claims". To lawfully disclose the data, the data subject's explicit consent would have been required. When deciding on the amount of the administrative fine, the DSB took into account the sensitive nature of the data and wilful conduct of the controller but also the controller's low income and the fact that the controller collaborated with the DSB in the course of the procedure.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the German original. Please refer to the German original for more details.



Decisive authority
Data protection authority


Decision date
08/05/2021


Business number
2021-0.518.795


Appeal at the BVwG / VwGH / VfGH
This penalty decision is final.




text
GZ: 2021-0.518.795 of August 5, 2021 (case number: DSB-D550.214)

[Note processor: names and companies, legal forms and product names, addresses (incl. URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as their initials and abbreviations can be abbreviated and / or changed for reasons of pseudonymisation being. Obvious spelling, grammar, and punctuation errors have been corrected.]


Penalty judgment

Accused: Martin N ***, born on: 13.06.19 **, S *** straße 2 *, 1 *** W ***

As the person responsible within the meaning of Art. 4 No. 7 of Regulation (EU) 2016/679 on the protection of natural persons when processing personal data, on the free movement of data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation, hereinafter : "GDPR"), OJ No. L 119 of 04.05.2016 p. 1, the following facts have been realized and the following administrative offense (s) have been committed as a result:
They have
- on June **, 2019, 1 *: 11 a.m. (time of the offense)
- using an appropriate terminal
a message by email from the email address you used (martinn*@*mail.at) to the email address of the municipality of S *** (post@gemeinde.s***abteilung***.at) , transmitted with the following content:
"To the department ***
Since Ms. Susanne F *** works as a kindergarten teacher for you and said on the TV show ***, she is * 0% disabled because her neighbor is harassing her. But the court opinion says something different (see appendix).
Please send a read receipt.
Kind regards"
As part of the above-mentioned e-mail message, you have a document attached (Statement by Rudolf L ***, * Dr., Dated **. 04.2014), which you will receive as part of civil proceedings before the Regional Court *** regarding the number * 3 Cg * 34 / 13r as a party to the proceedings, this document containing health-related data in relation to Ms. Susanne F ***.
You have therefore processed health-related data by sending the email message including attachments, contrary to the prohibition in Art. 9 GDPR and disclosed the personal data concerned to several people who are attributable to Ms. Susanne F *** as the employer.
As a result, you have violated the following principles of the GDPR:
 Principle of processing personal data in a lawful manner, in good faith and in a manner that is understandable for the data subject ("lawfulness, processing in good faith, transparency")

Administrative offense (s) after:
Article 5 (1) (a), Article 9 (1) and (2) in conjunction with Article 83 (1) and (5) (a) GDPR, OJ L 2016/119, 1 as amended L 2016/314 , 72 and L 2018/127, 2

The following penalty is imposed for these administrative offense (s):


Fine of euros
if this is irrecoverable, a substitute imprisonment of
According to


€ 600.00
36 hours
Art 83 (5) lit.








Furthermore, according to § 64 of the Administrative Penal Act 1991 - VStG, you have to pay:
60.00
Euros as a contribution to the costs of the criminal proceedings, that is 10% of the penalty, but at least 10 euros;

Euros to replace cash expenses for

The total amount to be paid (penalty / costs / cash outlays) is therefore
660.00
Euro

Payment term:
If no complaint is made, this penalty decision is immediately enforceable. In this case, the total amount is to be paid into the account BAWAG P.S.K., Georg-Coch-Platz 2, 1018 Vienna, IBAN: AT460100000005490031, BIC: BAWAATWW, according to the data protection authority, within two weeks after it becomes legally binding. The transaction number and the completion date should be given as the intended purpose.
If no payment is made within this period, the total amount can be dunned. In this case, a flat fee of five euros has to be paid. If, however, no payment is made, the outstanding amount will be enforced and, in the event that it is uncollectible, the equivalent imprisonment for this amount will be enforced.
Reason:
1. The following facts relevant to the decision have been established on the basis of the evidence procedure carried out:
1.1. The accused has on **. June 2019, 1 *: 11 a.m., send an email message from the email address you used (martinn*@*mail.at) to the email address of the department *** S *** ( post@gemeinde.s***abteilung***.at), transmitted with the following content (formatting not reproduced one-to-one):
"To the department ***
Since Ms. Susanne F *** works as a kindergarten teacher for you and said on the TV show ***, she is * 0% disabled because her neighbor is harassing her. But the court opinion says something different (see appendix).
Please send a read receipt.
Kind regards"
1.2. As an attachment, the accused has a document (statement by Rudolf L ***, * Dr., Dated **. 04.2014), which he received in the context of civil proceedings before the regional court *** for the number * 3 Cg * 34 / 13r as Accessible to the party to the proceedings, this document contains health-related data in relation to Ms. Susanne F ***. The latter document was transmitted unredacted by the accused.
1.3. The person affected by the data transfer has at no time (expressly) consented to the processing of their personal (health) data by the accused.
1.4. Long-standing neighborly disputes exist between the person concerned as well as their spouse and the accused, which also formed the subject of several civil and criminal proceedings. The here accused was due to the acts committed against the person concerned on **. 06.2013 from LG *** to AZ * 23 Hv * 4 / 13c because of § 218 (1) Z 2 StGB and § 107a (1 and 2) Z 1 StGB sentenced.
1.5. The accused concluded a legally binding settlement dated **. 07.2020 with the person concerned before the LG *** for AZ 29 Cg 23 / 19k and undertook in it,
a) the distribution of the letter of Dr. Rudolf L ***, dated **. 04.2014 or similar documents describing the sexual and intimate life of the plaintiff as well as medical diagnoses, in particular to neighbors and - with the exception of legal enforcement or legal defense of specific claims made against the defendant or asserted by him ( including criminal proceedings) - also to authorities and the applicant's employer,
b) Ordinary insults and allegations and questions about "masturbation" against the plaintiff to refrain, as well as to pay the plaintiff EUR 1,500 and EUR 3,500 as reimbursement within 14 days from the legal validity of this settlement to the attention of the plaintiff.
1.6. At the time of the offense, the person affected by the data transfer was employed by the municipality of S *** and was on sick leave for several weeks in 2013 and 2014. Since the illness-related incapacity to work was brought into a causal connection with the behavior of the accused, Department I *** of the municipality S *** sent a letter of formal notice dated **. 09.2014 to the accused and requested him to pay 1 * .1 **, 21 euros as a replacement for service income during the incapacity for work (including special payments) and employer contributions for the employees. The accused has not yet complied with this request, but the municipality of S *** has not taken any further judicial or extrajudicial enforcement steps since then.
1.7. According to his own statements, the accused is unemployed and does not earn any income, but only receives social assistance benefits.
2. The determinations are made on the basis of the following evidence assessment:
2.1. The findings with regard to the transmission of the health data in question in the sense of the allegation result from the justification of the accused in the context of the suspect's interrogation on 06.06.2021, the remaining contents of the file, including a letter of formal notice from the municipality of S *** to the suspect from 09.22.2014 as well as a related statement from the municipality of S *** to the data protection authority in the context of a request for administrative assistance, received by email on 06.2021 as well as a supplementary statement by the accused on this, with email dated 08.2021. The accused himself never denied the allegation.
2.2. The accused therefore allows the data to be transmitted to department *** of the municipality of S ***, but justifies this by stating that the municipality of S *** had raised (out of court) claims for damages against him in September 2014. Again within the framework of the granting of the parties to be heard, subject to the evidence based on the request for administrative assistance to the municipality of S *** on the question of whether the accused continued to be asked to pay damages in court or out of court after 2014, this being done by the municipality of S ** * was denied, the accused explains verbatim as follows (spelling and grammatical errors as in the original):
"The municipality of S *** writes:
The claims made at the time are not to be regarded as settled, but no civil law enforcement has been made to date.
Therefore I had to reckon at any time that the municipality S *** would demand the claims from me and that I would have to call the statement or possibly the expert opinion again, because Ms. Susanne F *** made false claims against me publicly on the television program *** ( https://www.youtube.com/***i) said she is * 0% disabled.
Ms. Susanne F *** has also made false claims against me at the municipality of S *** and has therefore first made the claim against me and has not yet received a cessation of the claim and the proceedings are not yet to be regarded as settled. "
The result was therefore to be regarded as undisputed, but the accused takes the view on the basis of data protection law that the data transfer in question was covered (analogously) by Art. 9 (2) (f) GDPR.
3. Legally it follows from this:
3.1. Art. 83 (5) (a) GDPR stipulates that fines of up to 20,000,000 euros [...] can be imposed in the event of violations of the provisions of Art. 5, 6, 7 and 9 GDPR. According to Section 22 (5) DSG, the responsibility for imposing fines on natural and legal persons, as the national supervisory authority, lies with the data protection authority.
3.2. Art. 4 Z 2 GDPR defines the term "processing" as any process carried out with or without the help of automated procedures or any such series of processes in connection with personal data such as the collection, recording, organization, ordering, storage, adaptation or Modification, reading, querying, use, disclosure by transmission, distribution or any other form of provision, comparison or linking, restriction, deletion or destruction;
Art. 4 Z 7 GDPR defines the term “person responsible” as the natural or legal person, authority, institution or other body that decides alone or jointly with others on the purposes and means of processing personal data.
Art 4 Z 10 defines the term "third party" as a natural or legal person, authority, institution or other body, apart from the data subject, the person responsible, the processor and the persons who are authorized under the direct responsibility of the person responsible or the processor to process the personal data;
Art. 4 sub-section 15 defines the term “health data” as personal data that relate to the physical or mental health of a natural person, including the provision of health services, and from which information about their state of health emerges;
3.3. According to Art. 9 Paragraph 1, the processing of personal data from which racial and ethnic origin, political opinions, religious or ideological convictions or trade union membership emerge, as well as the processing of genetic data, biometric data for the unambiguous identification of a natural person, is health data or data on the sex life or sexual orientation of a natural person is prohibited.
Art. 9 para. 2 GDPR contains a final list of exceptions to the processing prohibition according to para. 1 leg cit .:
a) The person concerned has expressly consented to the processing of the personal data mentioned for one or more specified purposes, unless, under Union law or the law of the member states, the prohibition under paragraph 1 cannot be lifted with the consent of the person concerned,
[...]
f) the processing is necessary for the establishment, exercise or defense of legal claims or for acts of the courts in the context of their judicial activity,
3.4. As stated above, on June **, 2019 (1 *: 11 a.m.), the accused sent an email message to department *** of the municipality of S *** and attached a PDF document as a file attachment, with the attached Document information relating to the mental health and privacy of Susanne F *** (the data subject) emerges. This means that the accused is to be qualified as the person responsible under data protection law for the processing of health data relating to the person concerned through transmission and disclosure to third parties.
3.5. The objective was therefore to check whether the processing of health data carried out by the accused was covered by one of the exceptions standardized in Art. 9 (2) GDPR.
3.6. As a justification for the present data transfer, the accused cites in the course of his interrogation (and again on the occasion of his written statement on the hearing of the parties dated **. 08.2021) that the person concerned falsely publicly claimed that he was the cause of a mental illness of the person concerned and their consequent related sick leave and this circumstance in turn only led to the fact that the municipality S ***, as the employer of the persons concerned, turned to him in September 2014 with claims for damages (see above under point 1.6).
3.7. As stated, the person concerned has at no time (expressly) consented to the processing of their health data carried out by the accused within the meaning of Art. 9 Para. 1 lit. a GDPR. With a view to the allegations of the accused, it was necessary to check whether the data transfer can be based on Art. 9 Para. 2 lit. June 2019 was allowed to rightly carry out to the community S *** am **. September 2014 to defend against him (out of court) asserted claims for damages (because of continued payment to Susanne F *** for periods of her illness-related incapacity).
The legal status of Art 9 Paragraph 2 lit f GDPR represents a special case of the general legal status status of legitimate interest within the meaning of Art 6 Paragraph 1 lit f GDPR for sensitive data (Schiff in Ehmann / Selmayr, DS-GVO² Art 9 Rz 47).
The term legal claims is to be understood broadly and includes claims under public and private law (Schiff in Ehmann / Selmayr, DS-GVO² Art 9 Rz 48). The decisive factor is that there is a legal conflict (Schiff in Ehmann / Selmayr, Art 9 GDPR margin no.48; a conflict that forces the claimant to take procedural action). However, it does not depend on the type of legal process followed (Kampert in Sydow, European General Data Protection Regulation, Art 9 GDPR margin no.34).
Required means that without the data the assertion of the claim or a defense against it would not be possible or significantly more difficult (Kampert in Sydow, Art 9 GDPR margin no.34).
The exceptions of Art 9 (2) GDPR permit processing only in compliance with the other requirements of the GDPR, which includes a proportionality test in the respective individual case, provided that the exceptions explicitly provide for this (Korge in Gierschmann / Schlender / Stentzel / Veil, commentary on the General Data Protection Regulation, Art 9 margin no.19). The requirements of Article 9 (2) GDPR must be observed in addition to the general processing requirements of Article 6 (1) GDPR (Petri in Simitis / Hornung / Spiecker, Article 9 GDPR margin no.2).
3.8. In the present case, in which the alleged disclosure by transmission to third parties concerns Susanne F ***'s health data, the legality of this processing operation therefore depends on whether the accused is based on a legal interest that corresponds to the facts of Art. 9 Para. 2 lit. f GDPR, specifically whether the data transfer in question was "necessary for the establishment, exercise or defense of legal claims [of the accused]". If this question is answered in the affirmative, the interests of the accused must be weighed against the interests of confidentiality of the data subjects (Art 6 Para. 1 lit.f GDPR, cf. in relation to § 219 ZPO, OGH of 24.07.2019, 6 Ob 45 / 19i).
3.9. However, since the municipality S *** has not taken any more judicial or extrajudicial steps against the accused since the letter of formal notice dated September **, 2014 to assert any existing claims for damages based on the legal grounds set out above, as well as with a view to the statute of limitations of § 1489 ABGB, according to which claims for damages are to be asserted within three years of knowledge of the perpetrator and damage, can be based on the time of the transmission of the health data on **. June 2019 it can no longer be assumed that there was even a legal conflict between the municipality of S *** and the accused as the perpetrator; In addition, in the context of his email message to Department *** of the municipality of S ***, the accused does not even refer to a possible claim for damages against him, against which he tried to defend himself with the present letter.
3.10. But even if one assumes that at the present time there was a civil law conflict in the form of a legitimate claim for damages against the accused between the accused and the municipality S ***, the data transfer of the health data concerned to the department *** of the municipality S * ** only legal if this was necessary to defend against the claim.
"Required" in this context means that without the data, the assertion of the claim or a defense against it would not be possible or significantly more difficult (Kampert in Sydow, Art 9 GDPR margin no. 34).
3.11. In relation to the facts at hand, however, the criterion of necessity was determined by the fact that in 2014 the accused was not requested by Department ***, but by Department I ***, which is responsible for personnel matters, to pay a damage amount. Department *** was therefore not the body that had made a possible claim against the accused on behalf of the municipality of S ***; rather, the department *** is the department responsible for kindergartens. It was therefore not necessary for the accused to submit a medical statement to this office, from which information regarding the mental health and privacy of the person concerned emerged in order to defend against an alleged (still) existing claim for damages against him.
3.12. The data processing carried out by the accused was therefore to be qualified as a completely arbitrary disclosure of health data to third parties, which was not covered by any of the exceptions standardized in Art. 9 (2) GDPR. Ultimately, the accused, who has not been charged with further prosecution steps by the municipality of S *** since September 2014, would have in the event of a new judicial or extrajudicial assertion of a claim by the municipality of S *** with a written statement (and a corresponding offer of evidence) to defend themselves. The unsolicited transmission of health data of those affected in 2019 to a different department than the one from which the letter of formal notice came from 2019 - almost five years after the last contact was made by the competent authority of the municipality of S *** - was therefore unlawful as a result.
3.13. In application of the requirements and obligations according to Art. 5 Para. 1 lit. a and b in conjunction with Art. 9 Para. 1 and Para The transmission and disclosure of health data should never have been carried out without the express consent of the persons concerned. Against the background of the established facts, the accused as the person responsible according to Art. 4 Z 7 GDPR is responsible for the objective fact of the administrative violation of Art. 9 Paragraph 1 and Paragraph 2 in conjunction with Art. 83 Paragraph 5 lit. a GDPR .
3.14. On the subjective side of the facts, it was to be established that with regard to the transmission and disclosure of health data of the persons concerned to the department *** of the municipality S ***, an intentional inspection by the accused was to be assumed; This arises in particular against the background that, as stated above, there was no legitimate legal interest within the meaning of Art. 9 Para. 2 lit. Affected establish was made.
4. The following must be recorded for the determination of the sentence:
4.1. According to Art. 83 Para. 1 GDPR, the data protection authority must ensure that the imposition of fines for violations in accordance with Paragraphs 5 and 6 is effective, proportionate and dissuasive in each individual case. More specifically, Paragraph 2 leg cit states that when deciding on the imposition of a fine and its amount in each individual case, due consideration must be given to the following:
a) the type, gravity and duration of the breach, taking into account the type, scope or purpose of the processing concerned, as well as the number of persons affected by the processing and the extent of the damage suffered by them;
b) Willfulness or negligence of the breach;
c) any measures taken by the controller or the processor to reduce the damage suffered by the data subjects;
d) the degree of responsibility of the controller or processor, taking into account the technical and organizational measures taken by them in accordance with Articles 25 and 32;
e) any relevant previous violations by the controller or the processor;
f) Extent of working with the regulator to remedy the breach and mitigate its possible adverse effects;
g) categories of personal data affected by the breach;
h) the manner in which the supervisory authority became aware of the violation, in particular whether and, if so, to what extent the controller or the processor notified the violation;
i) [...]
j) [...]
k) any other aggravating or attenuating circumstances in the respective case, such as financial benefits gained directly or indirectly as a result of the breach or losses avoided.
According to Section 19 (1) VStG, the basis for the assessment of the penalty is the significance of the legal interest protected by criminal law and the intensity of its impairment by the act. In addition, according to the purpose of the threat of punishment, the possible aggravating and mitigating reasons must be weighed against each other, unless they already determine the threat of punishment. Particular care must be taken with the extent of the fault. Sections 32 to 35 of the Criminal Code apply mutatis mutandis, taking into account the nature of administrative criminal law. The accused's income and financial circumstances and any duties of care of the accused must be taken into account when assessing fines; However, this only to the extent that the provisions of the GDPR that are directly applicable do not supersede the provisions of the VStG and to the extent that Art. 83 (8) GDPR and recital 148 with regard to the procedural guarantees to be guaranteed are ordered.
4.2. In relation to the facts at hand, the following was taken into account to aggravate the sentencing:
- The transmission and disclosure of health data to the employer of the person concerned, whereby information relating to the sexual and intimate sphere results from the processed data, seriously encroaches on the legal interests of private and legal interests protected by Art. 8 ECHR and Art. 7 EuGRC Privacy of those affected. On the part of the accused, the transfer of data in question was granted and therefore, on the subjective side, there is fault in the form of willful intent within the meaning of Article 83 (2) (b) GDPR.
4.3. The following was mitigated when determining the sentence:
- The accused took part in the administrative criminal proceedings before the data protection authority and admitted to having carried out the data transfer, thereby helping to establish the truth;
- To date, the data protection authority has not had any relevant previous convictions against the accused;
- The accused is unemployed and therefore does not earn any income, but only receives social benefits.
4.4. The specifically imposed penalty therefore appears to be appropriate to the act and guilty of the offense and guilty, taking into account the determined income situation of the accused with regard to the actual inconvenience measured against the available range of penalties under Art. 83 (5) GDPR of up to € 20,000,000 and its imposition is necessary in order to to prevent the accused and third parties from committing the same or similar criminal acts. Particularly with a view to the longstanding neighborly conflict, it appears to be absolutely necessary in the sense of a special preventive effect to impose a fine in order to deter the accused from further - identical or similar - actions.



European Case Law Identifier
ECLI: AT: DSB: 2021: 2021.0.518.795