DSB (Austria) - 2023-0.420.407: Difference between revisions

From GDPRhub
mNo edit summary
mNo edit summary
 
(5 intermediate revisions by 3 users not shown)
Line 14: Line 14:
|Original_Source_Language_1=German
|Original_Source_Language_1=German
|Original_Source_Language__Code_1=DE
|Original_Source_Language__Code_1=DE
|Original_Source_Name_2=
|Original_Source_Name_2=BVwG (Austria)
|Original_Source_Link_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language_2=
Line 58: Line 58:
|Party_Link_3=
|Party_Link_3=


|Appeal_To_Body=VwGH (Austria)
|Appeal_To_Body=BVwG (Austria)
|Appeal_To_Case_Number_Name=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=Pending appeal
|Appeal_To_Status=Pending appeal
Line 67: Line 67:
}}
}}


The Austrian Data Protection Authority (DSB) imposed a fine of €10,000 on a gynaecologist after he disclosed the data subject's diagnosis in a response to an online negative review of the data subject.
The DPA imposed a fine of €10,000 on a gynaecologist after he disclosed the data subject's diagnosis in a public response to an online negative review by the data subject.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
On 26 September 2022 the data subject posted a negative review on a website in her own name on her experiences in the surgery of a gynaecologist. One day later, the controller, the gynaecologist, responded to it by disclosing that she was diagnosed with a vaginal infection. This post was publicly accessible at least until 3 October 2022. The controller argued that he published the data in order to create a truthful image for readers.
On 26 September 2022 the data subject posted a negative review on a website in her own name on her experiences at a gynaecologist’s office. One day later, the controller, the gynaecologist, publically responded to the review and disclosed that the data subject was diagnosed with a vaginal infection. The controller argued that he disclosed the personal data in order to create a truthful image for readers. The response was publicly available at least until 3 October 2023.


=== Holding ===
=== Holding ===
Firstly, the DSB held that the GDPR is undoubtedly applicable in the given case and that the data disclosed (health data) is a special category data according to [[Article 9 GDPR#1|Article 9(1) GDPR]]. Therefore, the processing of the respective data would have been generally prohibited and no exceptions according to [[Article 9(2) GDPR]] could be applied. Thus, the controller violated the principle of legality ([[Article 9 GDPR]] and [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]).
Firstly, the Austrian DPA (DSB) held that the controller processed personal data of the data subject by publishing his response online. Moreover, the DPA held that the information regarding a personal’s vaginal infection is data concerning health data under [[Article 4 GDPR#15|Article 4(15) GDPR]]. This is a special category of personal data according to [[Article 9 GDPR#1|Article 9(1) GDPR]] and whose processing is prohibited unless one of the exceptions in [[Article 9 GDPR#2|Article 9(2) GDPR]] applies. The DPA found that this was not the case. Thus, the controller violated [[Article 9 GDPR]] and the principle of lawfulness under [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]].
Secondly, the disclosure of health data was contrary to the principle of purpose limitation ([[Article 5 GDPR#1b|Article 5(1)(b) GDPR]]), as there was no link between the purpose of the data collection and the further processing.
 
Thirdly, the controller violated the principle of data minimisation ([[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]), as the purpose to create a truthful image for readers could have been fulfilled without mentioning the diagnosis.
Secondly, the controller violated the principle of purpose limitation under [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]]. The DPA found that there was no concrete link between the purpose of the data collection (the diagnosis) and the further processing of the data. Moreover, it was not foreseeable to the data subject that the controller would collect data on her medical diagnosis and publish this in a response to the data subject’s review.
The DSB issued a fine of €10,000 based on the estimated income of the controller, as he did not disclose his financial circumstances.  
 
The decision is not final as the amount of the penalty has been contested.
Thirdly, the controller violated the principle of data minimisation under [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], as the purpose to create a truthful image for readers could have been fulfilled without mentioning the diagnosis.
 
The DPA issued a fine of €10,000 under [[Article 83 GDPR#1|Article 83(1) GDPR]] based on the estimated income of the controller, as he did not disclose his financial circumstances.
 
The decision regarding the amount of the penalty has been challenged at the Federal Administrative Court (Bundesverwaltungsgericht, BVwG).


== Comment ==
== Comment ==

Latest revision as of 14:56, 27 March 2024

DSB - 2023-0.420.407
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 5(1)(c) GDPR
Article 9(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 29.06.2023
Published:
Fine: 10,000 EUR
Parties: gynaecologist
National Case Number/Name: 2023-0.420.407
European Case Law Identifier: ECLI:AT:DSB:2023:2023.0.420.407
Appeal: Pending appeal
BVwG (Austria)
Original Language(s): German
Original Source: RIS (in DE)
Initial Contributor: Magdalena

The DPA imposed a fine of €10,000 on a gynaecologist after he disclosed the data subject's diagnosis in a public response to an online negative review by the data subject.

English Summary

Facts

On 26 September 2022 the data subject posted a negative review on a website in her own name on her experiences at a gynaecologist’s office. One day later, the controller, the gynaecologist, publically responded to the review and disclosed that the data subject was diagnosed with a vaginal infection. The controller argued that he disclosed the personal data in order to create a truthful image for readers. The response was publicly available at least until 3 October 2023.

Holding

Firstly, the Austrian DPA (DSB) held that the controller processed personal data of the data subject by publishing his response online. Moreover, the DPA held that the information regarding a personal’s vaginal infection is data concerning health data under Article 4(15) GDPR. This is a special category of personal data according to Article 9(1) GDPR and whose processing is prohibited unless one of the exceptions in Article 9(2) GDPR applies. The DPA found that this was not the case. Thus, the controller violated Article 9 GDPR and the principle of lawfulness under Article 5(1)(a) GDPR.

Secondly, the controller violated the principle of purpose limitation under Article 5(1)(b) GDPR. The DPA found that there was no concrete link between the purpose of the data collection (the diagnosis) and the further processing of the data. Moreover, it was not foreseeable to the data subject that the controller would collect data on her medical diagnosis and publish this in a response to the data subject’s review.

Thirdly, the controller violated the principle of data minimisation under Article 5(1)(c) GDPR, as the purpose to create a truthful image for readers could have been fulfilled without mentioning the diagnosis.

The DPA issued a fine of €10,000 under Article 83(1) GDPR based on the estimated income of the controller, as he did not disclose his financial circumstances.

The decision regarding the amount of the penalty has been challenged at the Federal Administrative Court (Bundesverwaltungsgericht, BVwG).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

text

GZ: 2023-0.420.407 from June 29, 2023 (Procedure number: DSB-D550.747)

[Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and email addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated for pseudonymization reasons and/ or be changed. Obvious spelling, grammar and punctuation errors have been corrected.]

Penalty finding

Accused: Dr. Dieter N***, born on **.**.1960

As the person responsible within the meaning of Article 4 Z 7 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data, on the free movement of data and on the repeal of Directive 95/46/EC (General Data Protection Regulation, hereinafter : “GDPR”), OJ No. L 119 of May 4, 2016 p. 1 as amended, realized the following facts and thereby committed the following administrative offense(s): As the person responsible within the meaning of Article 4, Number 7, of the Regulation (EU ) 2016/679 on the protection of natural persons with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: “GDPR”), OJ L 119 of 04/05/2016 P. 1 as amended, the following facts occurred and thereby committed the following administrative offense(s):

-    In your role as controller, you unlawfully processed special categories of personal data in the federal territory of Austria in the period from September 27th, 2022 to October 3rd, 2022 by using health data from Ms. Karina U*** in response to a W***net review. have published. This is without there being an exception to the ban on processing special categories of personal data in accordance with Article 9 Para. 2 GDPR. In your role as controller, you unlawfully processed special categories of personal data in the federal territory of Austria in the period from September 27th, 2022 to October 3rd, 2022 , by publishing health information about Ms. Karina U*** in response to a W***net review. This is without there being an exception to the ban on processing special categories of personal data in accordance with Article 9, Paragraph 2, GDPR.

By doing so, you have violated the following requirements of the GDPR:

    Processing of special categories of personal data in accordance with Article 9, GDPR Processing of special categories of personal data in accordance with Article 9, GDPR

    Principle of processing personal data lawfully, in good faith and in a manner that is understandable for the data subject in accordance with Article 5 Para. 1 lit. a GDPR (“Lawfulness, processing in good faith, transparency”) Principle of Processing of personal data lawfully, fairly and in a manner understandable to the data subject in accordance with Article 5, paragraph one, letter a, GDPR (“Lawfulness, fair processing, transparency”)

    Principle of processing personal data for specified, explicit and legitimate purposes in accordance with Article 5 paragraph 1 lit. b GDPR (“purpose limitation”)Principle of processing personal data for specified, explicit and legitimate purposes in accordance with Article 5 paragraph one, Litera b, GDPR (“purpose limitation”)

    Principle of processing personal data that is appropriate and significant for the purpose and limited to the extent necessary for the purposes of processing in accordance with Art the purposes of processing necessary limited processing of personal data in accordance with Article 5, paragraph one, Litera c, GDPR (“data minimization”)

Administrative offense(s) according to:

Art. 5 Para. 1 lit. a, lit. b and lit. c as well as Art. 9 Para. 1 in conjunction with Art. 83 Para , paragraph one, Litera a,, Litera b and Litera c, as well as Article 9, paragraph one, in conjunction with Article 83, paragraph one, and 5 Litera a, GDPR OJ L 2016/119, p. 1, as amended

The following penalty is imposed for this administrative offense:

[Editor's note: This penalty decision has been challenged at the Federal Administrative Court with regard to the amount of the penalty determined and is therefore, as of November 2023, not legally binding on this point.]

Fine of euros

If this is irrecoverable, a substitute prison sentence of

according to

10,000.00 euros

336 hours

Art 83 paragraph 5 lit

Furthermore, you must pay in accordance with Section 64 of the Administrative Penalties Act 1991 - VStG: Furthermore, in accordance with Section 64 of the Administrative Penalties Act 1991 - VStG, you must pay:

1,000.00

Euros as a contribution to the costs of the criminal proceedings, which is 10% of the fine, but at least 10 Euros;



Euros as a replacement for cash expenses



The total amount payable (penalty/costs/cash expenses) is therefore

11,000.00

Euro

Payment deadline:

If no complaint is made, this penalty is immediately enforceable. In this case, the total amount must be paid into the account [shortened here] in the name of the data protection authority within two weeks of the entry into legal force. The business number and the completion date should be stated as the intended purpose.

If no payment is made within this period, the total amount can be collected. In this case, a flat-rate contribution of five euros must be paid. If payment is not made, the outstanding amount will be enforced and, if it cannot be collected, the equivalent prison sentence corresponding to this amount will be carried out.

Reason:

1.     The following facts relevant to the decision are established based on the evidence procedure carried out:

1.1. The accused is a specialist in gynecology and obstetrics and runs a health insurance practice at the address K***platz **4, **** T***.

1.2. Ms. Karina U*** (hereinafter: the affected person) visited the respondent's office on September 21, 2022 due to an acute health complaint. The respondent diagnosed her with a vaginal infection.

1.3. On September 26, 2022, the affected person wrote the following W***net review under her real name:

[Editor's note: Ms. U***'s review, reproduced here as a facsimile (graphic file), cannot be pseudonymized with reasonable effort and has therefore been removed. It contains the following content (not reproduced verbatim): Not recommended as a doctor. He behaved condescendingly towards me, showed no trace of empathy and completely ignored me as a patient, even when I was desperate and started to cry. Didn't even ask me the reason for the doctor's visit and I was immediately referred to his assistant. I see the time pressure given the number of patients, but a certain level of empathy and understanding would still be desirable. This wouldn't take any time either.]

1.4. The accused responded to the assessment of those affected in a public response dated September 27, 2022:

[Editor's note: The accused's answer, reproduced here as a facsimile (graphic file), cannot be pseudonymized with reasonable effort and has therefore been removed. It contains the following content:]

“Hello Karina!

I diagnosed her vaginal infection and immediately treated it professionally. They could come on the same day and didn't have to pay anything. Unfortunately that's not enough for you and now you're accusing me of a lack of empathy...

I also expect a certain level of cooperation and attention on my part so that I can carry out the necessary consultation with the doctor.”

1.5. The diagnosis of those affected could be found in the publicly available answer from the accused at least until October 3, 2022.

1.6. As part of the administrative criminal proceedings, the accused did not disclose his income and financial circumstances as well as any duties of care to the data protection authority, despite being asked twice. The data protection authority therefore had to make an estimate (see below under Sentencing).

2.     The findings are made based on the following assessment of evidence:

2.1. As part of his justification dated June 2nd, 2023, the accused confirmed that under point 1.4. to have written an obvious answer. All in points 1.1. until 1.4. The findings made were to be regarded as undisputed.

2.2. The fact that the accused published the medical diagnosis of the affected person at least until October 3rd, 2023 is evident from the complaint that initiated the procedure for case number D124.1332/22, in which the affected person stated that the accused's answer was as of October 3rd, 2023 as was previously publicly visible. This was not disputed by the accused either in the complaint proceedings or in the administrative criminal proceedings in question.

2.3. The accused was asked to provide justification on May 9, 2023 and another letter dated June 12, 2023 to disclose his financial circumstances and any duties of care to the data protection authority. The accused did not address this in his justification dated June 2, 2023, and he did not respond to the second letter from the data protection authority dated June 12, 2023.

3.   Legally it follows:

3.1. On the subject scope of the GDPR and the responsibility of the data protection authority

3.1.1. The material scope of application of the GDPR in accordance with Article 2 GDPR is undoubtedly fulfilled in the present case. The accused did not make any claims to the effect that the GDPR would not apply. The so-called household exception according to Article 2 Paragraph 2 Letter c GDPR is not fulfilled. The material scope of application of the GDPR according to Article 2 GDPR is undoubtedly fulfilled in the present case. The accused did not make any claims to the effect that the GDPR would not apply. The so-called household exception according to Article 2, Paragraph 2, Litera c, GDPR is not fulfilled.

3.1.2. Art. 83 Para. 5 lit worldwide annual turnover of the previous financial year, whichever is higher. According to Section 22 Para. 5 DSG, responsibility for imposing fines on natural and legal persons for Austria, as the national supervisory authority, lies with the data protection authority. Article 83, paragraph 5, letter a, GDPR stipulates that violations of the provisions of Articles 5, 6, 7 and 9 GDPR are subject to fines of up to 20,000,000 euros or, in the case of a company, up to 4% of its total worldwide annual turnover of the previous financial year, whichever is higher. According to paragraph 22, paragraph 5, DSG, responsibility for imposing fines on natural and legal persons for Austria, as the national supervisory authority, lies with the data protection authority.

3.1.3. As a result, the GDPR applies to the specific case and the data protection authority is responsible for the administrative criminal proceedings in question, both in terms of subject matter and location.

3.2. On the unlawfulness of data processing and the violation of processing principles

3.2.1   Art. 4 Z 2 GDPR defines the term “processing” as any process or series of processes carried out with or without the help of automated processes in connection with personal data, such as collecting, recording, organizing, organizing, storing, the adaptation or modification, the reading, the query, the use, the disclosure by transmission, distribution or any other form of provision, the comparison or the linking, the restriction, the deletion or the destruction; Article 4, paragraph 2, GDPR defined the term “processing” as any operation or series of operations carried out with or without the aid of automated procedures in connection with personal data, such as the collection, recording, organization, structuring, storage, adaptation or modification, reading, querying , use, disclosure by transmission, distribution or other form of delivery, alignment or combination, restriction, deletion or destruction;

3.2.2. Art. 4 Z 7 GDPR defines the term “responsible person” as the natural or legal person, authority, institution or other body that alone or jointly with others decides on the purposes and means of processing personal data. Article 4, paragraph 7, GDPR defines the term “controller” as the natural or legal person, public authority, institution or other body that alone or jointly with others decides on the purposes and means of processing personal data.

3.2.3. According to Art. 4 Z 1 GDPR, “personal data” is all information that relates to an identified or identifiable natural person (“data subject”). An identified person can be assumed if the person's identity follows directly from the information itself. A person is identifiable if the information on its own is not sufficient to assign it to a person, but this is possible as soon as the information is linked to other information. According to Article 4, paragraph one, GDPR, “personal data” means all information, which relate to an identified or identifiable natural person (“data subject”). An identified person can be assumed if the person's identity follows directly from the information itself. A person is identifiable if the information on its own is not sufficient to assign it to a person, but this can be done as soon as the information is linked to other information.

3.2.4. According to Article 4, Paragraph 15 of the GDPR, “health data” are personal data that relate to the physical or mental health of a natural person, including the provision of healthcare services, and which provide information about their state of health. According to Article 4, Paragraph 15, of the GDPR “Health data” means personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, and which reveals information about their health status.

3.2.5. According to Art. 9 Para. 1 GDPR, special categories of personal data (formerly “sensitive data”) are data that reveal racial and ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic data, biometric data unique identification of a natural person, health data or data relating to sex life or sexual orientation. According to Article 9, paragraph one, GDPR, special categories of personal data (formerly “sensitive data”) are data from which racial and ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic data, biometric data to uniquely identify a natural person, health data or data on sex life or sexual orientation.

3.2.6. It is undisputed that the accused, as the person responsible, processed personal data of those affected by publishing his answer.

3.2.7. There is also no doubt that the information regarding a person's vaginal infection is a health data within the meaning of Art. 4 Z 15 GDPR. There is also no doubt that the information regarding a person's vaginal infection is a health data within the meaning of Article 4, Section 15, GDPR.

3.2.8. The processing of health data is generally prohibited in accordance with Article 9 Paragraph 1 of the GDPR, unless one of the exceptions listed in Paragraph 2 leg one of the exceptions listed conclusively in paragraph 2, leg. cit applies.

3.2.9. Art. 9 Para. 2 GDPR stipulates exceptions to the processing ban of Art. 9 Para. 1 GDPR and limits the admissibility of data processing to certain provisions in Para. The listed circumstances are narrower than those for the processing of “non-sensitive” data in Art. 6 Para. 1 GDPR; in particular, the admissibility criteria for “processing in the legitimate interest of the controller or a third party” are missing (Art. 6 Para. 1 lit. f) and that of “processing for the fulfillment of the contract” (Art. 6 para. 1 lit. b) (cf. Article 9, paragraph 2, GDPR stipulates exceptions to the processing ban of Article 9, paragraph one, GDPR and limits the admissibility of the Data processing is based on certain circumstances listed in paragraph 2, letter a, to j leg. cit., which are narrower than those for the processing of “non-sensitive” data in Article 6, paragraph one, GDPR; in particular, the admissibility of “processing” is missing in the legitimate interests of the controller or a third party” (Article 6, paragraph one, letter f,) and that of “processing for the fulfillment of the contract” (Article 6, paragraph one, letter b,) see Kastelitz/Hötzendorfer/Tschohl in Knyrim, DatKomm, Art. 9 GDPR, paragraph 1), DatKomm, Article 9, GDPR, paragraph 1).

3.2.10. In fact, the disclosure of the health data of those affected could not be based on any of the facts listed in Article 9 Para. 2 GDPR. Processing based on the general justification of legitimate interests in the sense of. Art. 6 Paragraph 1 Letter f GDPR is not applicable in the case of health data. The accused's argument in his justification dated June 2, 2023, according to which he was interested in creating a truthful overall picture for potential readers, is therefore in vain. In fact, the disclosure of the health data of those affected could not be based on any of the facts listed in Article 9, Paragraph 2, GDPR. Processing based on the general justification of legitimate interests in the sense of. Article 6, paragraph one, letter f, GDPR is not applicable in the case of health data. The accused's argument in his justification dated June 2, 2023, according to which he was interested in creating a truthful overall picture for potential readers, is therefore in vain.

3.2.11. As an interim result, it should be noted that the accused violated Article 9 and Article 5 Paragraph 1 Letter a (principle of legality). 3.2.11. As an interim result, it should be noted that the accused has in any case violated Article 9 and Article 5, paragraph one, letter a, (principle of legality).

3.2.12. According to Article 5 Paragraph 1 Letter b GDPR, personal data must be collected for specified, clear and legitimate purposes and may not be further processed in a manner that is incompatible with these purposes (“purpose limitation”). According to Article 5 Paragraph One, Litera b, GDPR, personal data must be collected for specified, clear and legitimate purposes and may not be further processed in a manner that is incompatible with these purposes (“purpose limitation”).

3.2.13. In the present case, there was neither a concrete, coherent or sufficiently close connection between the purpose of the data collection and the further processing of the data, nor was it in any way foreseeable to the person concerned that the accused would collect data on her medical diagnosis in response to her W* **net review published.

3.2.14. The accused has therefore also violated the principle of purpose limitation in accordance with Article 5 Paragraph 1 Letter b GDPR. The accused has therefore also violated the principle of purpose limitation in accordance with Article 5, paragraph one, letter b, GDPR.

3.2.15. According to Article 5 Para significant and limited to what is necessary for the purposes of processing.

3.2.16. According to the accused, the purpose of publishing the diagnosis of those affected was to make his replicating posting understandable and to create a truthful picture for readers.

3.2.17. However, this purpose could not be achieved simply by mentioning the medical diagnosis of those affected in the commentary. The accused could have easily responded to the negative review without citing the medical diagnosis.

3.2.18. The accused has therefore also violated the principle of data minimization in accordance with Article 5 Paragraph 1 Letter c GDPR. The accused has therefore also violated the principle of data minimization in accordance with Article 5, paragraph one, letter c, GDPR.

3.4. On the subjective side of the crime

3.4.1. From a subjective point of view, it should be noted in the present case that due to the deliberate publication of the medical diagnosis of those affected, it can be assumed that the accused carried out the processing in question intentionally. Therefore, on the subjective side of the crime, there is culpability in the form of intent within the meaning of Art. 83 Para. 2 lit. that the accused carried out the processing in question intentionally. Therefore, on the subjective side of the crime, there is culpability in the form of intent within the meaning of Article 83, Paragraph 2, Letter b, GDPR.

4.   For sentencing, the following must be noted:

[Editor's note: This penalty decision has been challenged at the Federal Administrative Court with regard to the amount of the penalty determined and is therefore, as of November 2023, not legally binding on this point.]

4.1. Pursuant to Article 83 (1) GDPR, the data protection authority must ensure that the imposition of fines for violations pursuant to paragraphs 5 and 6 is effective, proportionate and dissuasive in each individual case. In more detail, paragraph 2 leg cit. stipulates that when deciding on the imposition of a fine and its amount in each individual case, the following must be duly taken into account: According to Article 83, paragraph one, GDPR, the data protection authority must ensure that the imposition of fines for Violations referred to in paragraphs 5 and 6 are effective, proportionate and dissuasive in each individual case. In more detail, paragraph 2, leg cit., provides that, when deciding on the imposition of a fine and its amount, the following shall be duly taken into account in each individual case:

(a) the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing concerned and the number of persons affected by the processing and the extent of the damage suffered by them;

b) intentional or negligent violation;

c) any measures taken by the controller or the processor to mitigate the harm caused to the data subjects;

(d) the level of responsibility of the controller or processor, taking into account the technical and organizational measures taken by them in accordance with Articles 25 and 32;

e) any relevant previous breaches by the controller or processor;

(f) the extent of cooperation with the supervisory authority to remedy the breach and mitigate its possible adverse effects;

g) categories of personal data affected by the breach;

h) the manner in which the violation became known to the supervisory authority, in particular whether and, if applicable, to what extent the controller or processor reported the violation;

i) […]

j) […]

k) any other aggravating or mitigating circumstances in the relevant case, such as financial benefits gained or losses avoided directly or indirectly as a result of the breach.

4.2. The assessment of punishment within a statutory penalty framework is a discretionary decision that must be made in accordance with the criteria set by the legislature in Section 19 VStG (cf. VwGH September 5, 2013, 2013/09/0106). The assessment of punishment within a statutory penalty framework is a discretionary decision that is made according to The criteria set by the legislature in paragraph 19, VStG must be carried out (see VwGH 09/05/2013, 2013/09/0106).

4.3. According to Section 19 Para. 1 VStG, the basis for determining the punishment is the significance of the legal interest protected by criminal law and the intensity of its impairment by the crime. Furthermore, depending on the purpose of the threat of punishment, the possible aggravating and mitigating reasons must be weighed up against each other, insofar as they do not already determine the threat of punishment. Particular attention must be paid to the extent of the fault. Taking into account the nature of administrative criminal law, Sections 32 to 35 of the Criminal Code are to be applied mutatis mutandis. The defendant's income and financial circumstances and any care obligations must be taken into account when determining fines; However, this only to the extent that the directly applicable provisions of the GDPR do not supersede the provisions of the VStG and to the extent required by Article 83 Para. 8 GDPR and Recital 148 with regard to the procedural guarantees to be guaranteed Paragraph 19, paragraph one, VStG, the basis for determining the punishment is the significance of the legal interest protected under criminal law and the intensity of its impairment by the crime. Furthermore, depending on the purpose of the threat of punishment, the possible aggravating and mitigating reasons must be weighed up against each other, insofar as they do not already determine the threat of punishment. Particular attention must be paid to the extent of the fault. Taking into account the nature of administrative criminal law, paragraphs 32 to 35 of the Criminal Code are to be applied mutatis mutandis. The defendant's income and financial circumstances and any care obligations must be taken into account when determining fines; However, this only to the extent that the directly applicable provisions of the GDPR do not supersede the provisions of the VStG and to the extent required by Article 83, Paragraph 8, GDPR and Recital 148 with regard to the procedural guarantees to be guaranteed.

4.4. If a fine is imposed on a natural person, in accordance with Section 16 Para. 1 VStG, a substitute prison sentence must also be imposed in the event that it cannot be collected. The substitute prison sentence may not exceed the maximum prison sentence threatened for the administrative offense and, if no prison sentence is threatened and nothing else is stipulated, two weeks. If a fine is imposed on a natural person, according to paragraph 16, paragraph one, VStG is also for in the event of their irrecoverability, to impose a substitute prison sentence. The substitute prison sentence may not exceed the maximum prison sentence threatened for the administrative offense and, if no prison sentence is threatened and nothing else is specified, two weeks.

4.5. According to the case law of the VwGH, the authority must proceed with an assessment of the income and financial circumstances if the accused refuses to provide information about these circumstances in the course of the administrative criminal proceedings (see e.g. VwGH June 30, 2004, 2001/09/0120; April 22, 1992, 92/03/0019, 06/21/1999, 98/17/0009). In this case, the accused must attribute it to his failure to cooperate if the authority did not take into account circumstances in this assessment, to the detriment of the accused, which could not have come to the attention of the authority without his cooperation.4.5. According to the jurisprudence of the VwGH, the authority must proceed with an assessment of the income and financial circumstances if the accused refuses to provide information about these circumstances in the course of the administrative criminal proceedings, see e.g. VwGH June 30, 2004, 2001/09/0120; April 22, 1992, 92/03/0019, June 21, 1999, 98/17/0009). In this case, the accused must attribute it to his failure to cooperate if, in making this assessment, the authority did not take into account circumstances to the detriment of the accused that could not have come to the attention of the authority without his cooperation.

4.6. In the present case, the income and financial circumstances of the accused could not be determined - due to the lack of information provided by the accused - and therefore could not be taken into account. The data protection authority therefore had to use an official estimate as the basis for determining the penalty.

4.7. According to the general income report of the Court of Auditors, specialists with a focus on self-employment earned an average of EUR 153,399 in 2022 (see https://www.statistics.at/fileadmin/publications/Einkommensbericht-2022.pdf, p. 183) .

4.8. Based on this, in the present case it is assumed that the accused's monthly gross income is €12,800.

4.9. In relation to the facts at hand, the following aggravating factors were taken into account when determining the sentence:

    Type and severity of the violation: The present processing by the accused represents a serious interference with the data protection rights of the data subjects. The data subject could trust that their health data in the form of a medical diagnosis would not subsequently be published on the Internet by the accused. As a result, the type and intensity of the interference with fundamental rights can be classified as high.

    Intentionality: The violation was committed intentionally by the accused (see point 3.5.).

4.10. The following was taken into account in mitigating the sentencing:

    Previous convictions: To date, the data protection authority has not had any relevant previous convictions against the accused due to violations of the GDPR or the DSG.

    Participation in administrative criminal proceedings: The accused responded in a timely manner to the request for justification in administrative criminal proceedings. The accused admitted to the data protection authority that he had published the answer with the health data of those affected. This helped to clarify the matter to some extent.

4.11. According to the established jurisprudence of the VwGH, considerations of special prevention and general prevention may also be taken into account when determining the punishment (see VwGH May 15, 1990, 89/02/0093, VwGH April 22, 1997, 96/04/0253, VwGH January 29, 1991, 89 /04/0061). Pursuant to Article 83 (1) of the GDPR, the supervisory authorities must also ensure that the fines are effective, proportionate and dissuasive in each individual case. are included compare VwGH May 15, 1990, 89/02/0093, VwGH April 22, 1997, 96/04/0253, VwGH January 29, 1991, 89/04/0061). Pursuant to Article 83, paragraph one, GDPR, the supervisory authorities must also ensure that the fines are effective, proportionate and dissuasive in each individual case.

4.12. The imposition is necessary in a general preventative sense in order to make those responsible (e.g. other persons responsible in the healthcare system) aware of such unlawful data processing.

4.13. In the present case, there are also special preventive reasons for the amount of the fine imposed. The data protection authority was given the impression that the accused could continue to commit such violations in the future. In his justification he stated that he had been forced to present the previous story in order to create a truthful picture. Furthermore, the accused's further answers to W***net reviews about doctor's visits that he has undergone reveal that the accused continually mentions details of the examinations he has carried out in response to poor reviews. Corresponding screenshots can be found in the procedural file of the data protection authority. Future publications of medical diagnoses by the accused do not seem unlikely at this point.

4.14. The specific penalty imposed therefore appears to be appropriate for the crime and guilt, taking into account the determined income of the accused with regard to the value of the crime realized, measured against the available penalty range of up to € 20,000,000 in Article 83 (5) GDPR, and its imposition is necessary in order to to deter the accused and third parties from committing the same or similar criminal acts. The specific penalty imposed therefore appears to be appropriate for the offense and guilt, taking into account the established income of the accused with regard to the value of the crime realized, measured against the available penalty range of up to € 20,000,000 in Article 83, Paragraph 5, GDPR, and its imposition is necessary in order to to deter the accused and third parties from committing the same or similar criminal acts.