DSB - DSB-2021-0.101.211

From GDPRhub
DSB - DSB-2021-0.101.211
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 4(15) GDPR
Article 6(1)(c) GDPR
Article 9 GDPR
§ 1 National Law on Epidemics (EpiG)
§ 2 National Law on Epidemics (EpiG)
§ 3 National Law on Epidemics (EpiG)
§ 4 National Law on Epidemics (EpiG)
§ 1 National Data Protection Act (DSG)
Type: Complaint
Outcome: Rejected
Decided: 15.02.2021
Published: 25.03.2021
Fine: None
Parties: Dr. Walter A. (complainant)
N*** Ärztezentrum-Dr. U*** & Co GmbH (respondent)
National Case Number/Name: DSB-2021-0.101.211
European Case Law Identifier: ECLI:AT:DSB:2021:2021.0.101.211
Appeal: Not appealed
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in DE)
Initial Contributor: Fabian Schuster

The Austrian DPA (DSB) held that the negative PCR (SARS_CoV-2) test is to be qualified as a health data pursuant to Article(4)(15) GDPR and that the scope of protection of Article 9(2) must be taken into account as a standard in the subsequent review of lawfulness.

The DPA also comes to the conclusion that in context of the current pandemic the transfer of health data relevant here can be based on the legal obligation of the respondent to also transfer negative PCR test results to the competent district administrative authority, which is laid down in § 3(1) EpiG in connection with § 1( 3) of the ordinance of the Minister of Health, Federal Law Gazette II No. 323/2020.

English Summary[edit | edit source]

Facts[edit | edit source]

The respondent operates a primary care centre. Among other things, PCR tests for SARS CoV-2 are carried out under its responsibility.

The complainant had a voluntary PCR test (SARS-CoV-2) carried out at the respondent's primary care centre. By text message of 28 September 2020, he had been informed that the result of his PCR test was available and that the result was negative. The following day, he received an SMS with the following text: "Your test result of the sample collection of 28 September 2020 has been received. COVID-19 test for Walter, born 19** is NEGATIVE. Your district administrative authority".

The respondent argued that it was allowed to pass on the data on the basis of the Ordinance of the Federal Minister of Health concerning electronic laboratory reports in the register of notifiable diseases, Federal Law Gazette II No. 184/2013 as amended by Federal Law Gazette II 323/2020. However, this was contested.

Dispute[edit | edit source]

The dispute concerns the question whether the respondent violated the complainant's right to confidentiality by forwarding his information of a negative PCR (SARS-CoV-2) test to a district administrative authority.

Holding[edit | edit source]

The DPA held “that the wording of Art. 4(15) GDPR does not link a certain (minimum) impairment of physical or mental health, which argues in favour of a broad interpretation of the term "health data".

This is even clearer in Recital 35 of the Regulation, which states that personal data concerning health should include any data revealing information about the past, present and future physical or mental health status of the data subject.

These considerations are also covered by the case law of the ECJ, according to which the term "date of health" is to be interpreted broadly (cf. on the comparable legal situation under Directive 95/46 the judgement of the ECJ of 6 November 2003, C 101/01, Rs Lindqvist, para 50 f).

As an interim result, it must therefore be noted that (also) the negative test of the complainant is to be qualified as a health data pursuant to Art. 4 Z 15 GDPR and the scope of protection of Art. 9 para. 2 leg. cit. must be taken into account as a standard in the subsequent review of lawfulness”

The DPA went on and held that “A synopsis of the provisions of Article 9(1)(i) of the GDPR in conjunction with Article 3(1)(1), (1a) and (2) of the EpiG shows that the competent institution or, subsidiarily, the responsible laboratory that diagnoses the pathogen of a notifiable disease (such as the coronavirus) is obliged to notify the competent district administrative authority (as public health authority). In order to fulfil this legal obligation, it is therefore necessary (and thus permissible) for the respective agency to submit an official notification of a positive PCR test.

In the case in question, however, an official report was submitted on a negative PCR test. The obligation to submit an official report on a negative PCR test cannot be derived from the wording of Section 3(1)(1) and (1a) EpiG.

The obligation to submit an official notification specified in § 3 para. 1 EpiG may, however, be extended by the Federal Minister of Health pursuant to § 1 para. 2 leg. cit. may be extended by the Federal Minister of Health if this is justified for epidemiological reasons or required due to international obligations.

This possibility to extend the reporting obligations was used in the context of the current pandemic around COVID-19:

The Ordinance of the Federal Minister of Health concerning electronic laboratory reports in the register of notifiable diseases, Federal Law Gazette II No. 184/2013 as amended, was amended by Federal Law Gazette II No. 323/2020 to the effect that, pursuant to its § 1 para 3, facilities are obliged to also transmit all negative and invalid results to the district administrative authority in the event of a pandemic with COVID-19.

The regulation relevant here, which extended the reporting obligation, is based on the legal basis of Section 3 (1) EpiG and equally binds the respective medical institutions. Moreover, according to the first sentence of recital 41 of the GDPR, a legal basis, on which (the here relevant) Art. 9(2)(i) of the GDPR is based, does not necessarily have to be based on a legislative act adopted by a parliament.

Furthermore, there are no concerns with regard to the requirement of determinacy of normative provisions: In contrast to the Vienna Contact Tracing Ordinance objected to by the data protection authority (see the decision of 19 November 2020, GZ 2020-0.743.659), the scope and application of Section 3(1) of the EpiG in conjunction with Section 1(3) of the above-mentioned Ordinance of the Minister of Health are clear and precise. 3 of the aforementioned Ordinance of the Minister of Health are clear and precise, and it is clear to data subjects from the wording of these standards that negative and invalid PCR tests are also covered by the obligation to report to the district administrative authority (cf. recital 41, second sentence of the GDPR).

The extension of the reporting requirement of Section 3(1) of the EpiG is also expedient for combating COVID-19, as the data material (i.e. country- and federation-specific information on negative and invalid PCR tests) is relevant for targeting the pandemic strategy - especially the testing strategy. Although this was not objected to by the complainant, it must also be pointed out - with due brevity - that the standards of the EpiG and the cited ordinance of the Minister of Health also contain requirements with regard to purpose limitation, data minimisation and data security.

Against the background of all these considerations, the data protection authority therefore comes to the conclusion that the transfer of data relevant here can be based on the legal obligation of the respondent to also transfer negative PCR test results to the competent district administrative authority, which is standardised in § 3 para. 1 EpiG in connection with § 1 para. 3 of the aforementioned ordinance of the Minister of Health.

The disclosure of data relevant here therefore proves to be lawful and no violation of the complainant's right to confidentiality is to be assumed.

Therefore, the appeal is dismissed as unfounded.


Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Deciding authority
Data protection authority

Decision date
15.02.2021

Business number
2021-0.101.211

Appeal to the BVwG/VwGH/VfGH
This decision is legally binding.

Text
GZ: 2021-0.101.211 of 15 February 2021 (procedure number: DSB-D124.3158)
[Editor's note: Names and companies, legal forms and product names, addresses (incl. URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as their initials and abbreviations may have been abbreviated and/or changed for pseudonymisation reasons. Obvious spelling, grammatical and punctuation errors have been corrected].

DECISION
Saying

The data protection authority decides on the data protection complaint of Dr. Walter A*** (complainant), represented by Dr. Josef B***, lawyer in ****, of 22 October 2020 (ha. received on 27 October 2020) against N*** Ärztezentrum - Dr. U*** & Co GmbH (respondent) for violation of the right to confidentiality as follows:

-	The appeal is dismissed as unfounded.

Legal basis: Art. 4 Z 15, Art. 6 para. 1 lit. c, Art. 9 para. 1 and para. 2 lit. i as well as Art. 77 para. 1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119, 4.5.2016 p. 1; §§ 1 para. 1 and para. 2 as well as 24 para. 1 and para. 5 of the Data Protection Act (hereinafter: DSG), Federal Law Gazette I no. 165/1999 as amended; Sections 1(1)(1) and (2), 2(1), 3(1)(1), (1a) and (2) and 4 of the Epidemics Act 1950 (hereinafter: EpiG), Federal Law Gazette No. 186/1950 as amended; Sections 1 and 2 of the Ordinance of the Federal Minister for Health on Electronic Laboratory Reports to the Register of Notifiable Diseases, Federal Law Gazette II No. 184/2013 as amended.

Justification

A. Arguments of the parties and course of the proceedings
In his submission of 22 October (ha. received on 27 October 2020), supplemented on 6 November 2020 (ha. received on 10 November 2020), the complainant, who was represented by a lawyer, alleged a violation of the right to confidentiality.
 
In summary, it was submitted that on 28 September 2020, the complainant had a voluntary PCR test (SARS-CoV-2) carried out at the respondent's primary care centre. By text message of 28 September 2020, he had been informed that the result of his PCR test was available as follows: "Your result is available! Download at https://befunde.***labor.at. Log in with your SV number (10 digits) and this TAN: XXX". He then asked for the result and found out that the result was negative. The following day, he received an SMS with the following text: "Your test result of the sample collection of 28 September 2020 has been received. COVID-19 test for Walter, born 19** is NEGATIVE. Your district administrative authority". 

An enquiry with the respondent had revealed that the respondent was of the opinion that it was allowed to pass on the data on the basis of the Ordinance of the Federal Minister of Health concerning electronic laboratory reports in the register of notifiable diseases, Federal Law Gazette II No. 184/2013 as amended by Federal Law Gazette II 323/2020. However, this was contested. The complainant therefore sought a declaration that his rights had been violated.

2. in its statement of 4 December 2020 (ha. received on 22 December 2020), the respondent, represented by T*** Laborbetriebs GmbH ("on behalf of Dr. U*** & Co GmbH"), submitted the following in summary:
As a specialised medical laboratory, it was obliged to comply with the reporting obligations of the EpiG. It had acted in accordance with the applicable laws. Furthermore, ‑reference was made to the "Austrian testing strategy for SARS-CoV2‑" published by the Federal Ministry on 13 October 2020.‑ Point 3.1 (page 19 and page 20) states that negative test results have to be transmitted to the Epidemiological Reporting System (EMS) in accordance with the Laboratory Reporting Ordinance.
In his statement of 5 February 2021 (ha. received on 9 February 2021), the complainant - after hearing the parties on the results of the investigation proceedings - summarised the following:
The ordinance of the Federal Minister of Health on electronic laboratory reports in the register of notifiable diseases cited by the respondent was not a suitable basis for the use of data relevant here. The registration of a negative test in the register of notifiable diseases was not provided for by law. Thus, a regulatory obligation to register negative test results in the register of notifiable diseases was also inadmissible.

B. Subject matter of the appeal
On the basis of the submissions, the subject matter of the complaint is whether the respondent violated the complainant's right to confidentiality by forwarding the information that the complainant's PCR test (SARS-CoV-2) carried out at the respondent's on 28 September 2020 was negative to a district administrative authority. 

C. Findings of fact
The respondent operates a primary care centre. Among other things, PCR tests for SARS-CoV-2 are carried out under its responsibility.

2. the complainant conducted such PCR test on 28 September 2020 at the said primary care centre of the respondent.

3 The complainant then received the following message by SMS to his telephone number on 28 September 2020 (formatting not reproduced 1:1):
[Editor's note: the SMS reproduced here as a graphic file (screenshot) cannot be pseudonymised with reasonable effort. It has the content stated in the complaint (see 1. above)].

4 Subsequently, on 29 September 2020, the complainant received the following message via SMS to his telephone number (formatting not reproduced 1:1):
[Editor's note: the SMS reproduced here as a graphic file (screenshot) cannot be pseudonymised with reasonable effort. It has the content stated in the complaint (see 1. above)].

5 A query to the respondent had revealed that the respondent had forwarded the information that the complainant's PCR test carried out at the respondent's on 28 September 2020 was negative to a district administrative authority. 

Consideration of evidence: 
The findings made are based on the complainant's submission of 22 October 2020 (ha. received on 27 October 2020) and on the screenshots submitted therein. The submission of the complainant was not disputed by the respondent. The respondent also implicitly confirmed the transfer of the negative test result to a district administrative authority by making statements on the legality of the transfer of data relevant here. It is also clear from the respondent's FAQ that (at least in the case of a positive test) the respondent submits an official report, see https://www. ***aerztezentrum***.at/sars-cov-2-pcr-testing***/ under point "What happens if I am tested positive?" (accessed 12 February 2021). 

D. In legal terms, it follows that:

1. applicable legislation:
Section 1(1)(1) and (2) of the EpiG, including the heading, reads as follows (emphasis added by the data protection authority):

Notifiable diseases.
(1) The obligation to notify shall apply to:
1. Suspected cases, cases of illness and death from cholera, yellow fever, virus-induced haemorrhagic fever, infectious hepatitis (hepatitis A, B, C, D, E), canine tapeworm (Echinococcus granulosus) and fox tapeworm (Echinococcus multilocularis), infections with influenza virus A/H5N1 or another avian influenza virus, polio, bacterial and viral food poisoning, leprosy, leptospiral diseases, measles, MERS-CoV (Middle East Respiratory Syndrome Coronavirus/"new Corona virus"), anthrax, psittacosis, paratyphoid fever, plague, smallpox, rickettsiosis caused by R. prowazekii, glanders, transmissible dysentery (amoebic dysentery), SARS (Severe Acute Respiratory Syndrome), transmissible spongiform encephalopathies, tularemia, typhoid fever (abdominal typhus), puerperal fever, rage disease (Lyssa) and bite injuries from rage-sick or suspected animals,

(2) The Federal Minister for Health and Women's Affairs may, if justified for epidemiological reasons or required by international obligations, by ordinance subject further communicable diseases to compulsory notification or extend existing notification obligations.
Section 2 (1) of the EpiG, including the heading, reads as follows:

Filing of the complaint.
(1) Every illness, every death from a notifiable disease, in the cases of § 1 par. 1 fig. 1 also every suspicion of such an illness, shall be reported to the district administrative authority (public health office) in whose area the sick person or suspected sick person is staying or in whose area the death has occurred, stating the name, age and place of residence and, as far as possible, the name of the disease within 24 hours.
Section 3(1)(1), (1a) and (2) of the EpiG, including the heading, reads as follows (emphasis added by the data protection authority):
Persons obliged to report.

§ 3. (1) The following are obliged to file a report:

1. the doctor consulted, in hospitals, maternity hospitals and other institutions for humanitarian purposes the director of the institution or the head of a department who is obliged to do so by special regulations;

1a. any laboratory that diagnoses the causative agent of a notifiable disease;

[…]

(2) The obligation to notify shall be incumbent on the persons referred to in Nos. 2 to 8 only if there is no obligated person previously mentioned in the above list under Nos. 1 to 7.


Section 4 of the EpiG, including the heading, shall read as follows:
Register of notifiable diseases
(1) The Federal Minister responsible for public health shall operate an electronic register concerning notifications pursuant to § 1 paras 1 and 2, § 2 para 2, § 28c and notifications pursuant to §§ 5 and 11 of the Tuberculosis Act, Federal Law Gazette No. 127/1968. The Federal Minister responsible for health is the responsible person. With regard to the processing of personal data under this Federal Act, there is no right of objection under Article 21 of Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), OJ No. L 119, 04.05.2016 p. 1.

(2) The register of notifications shall serve to fulfil the tasks of the district administrative authorities to conduct surveys on the occurrence of notifiable diseases (§ 5 of this Federal Act and § 6 of the Tuberculosis Act) and to prevent the further spread and combat notifiable diseases (§§ 6 to 26a of this Federal Act and §§ 7 to 14 and 23 of the Tuberculosis Act) and to fulfil the tasks of the provincial governors within the framework of their coordination function pursuant to § 43 paras 6 and 7.

(3) The district administrative authorities shall be obliged to process in the register the data from notifications pursuant to § 1 paras 1 and 2 and § 2 para 2, § 28c, the data collected within the framework of surveys on the occurrence of notifiable diseases and the data related to measures taken. The district administrative authorities are further obliged to process in the register the data from notifications under sections 5, 10 and 11 of the Tuberculosis Act, the data collected in the course of surveys on the occurrence of tuberculosis and the data related to measures taken.

4. The following categories of data shall be processed in the register:
1. data for the identification of ill persons, persons suspected of an illness, bitten persons, deceased persons or persons who have left (name, sex, date of birth, place of residence, telephone number and e-mail address if available, national insurance number and area-specific personal identifier (§ 9 E-GovG, Federal Law Gazette I No. 10/2004)),

2. if applicable, dates of death (date, cause of death, autopsy status),

3. clinical data (history and course of disease) and laboratory data relevant to the notifiable disease,

4. data on the environment of the diseased, suspected, bitten, deceased or excreted person, insofar as they are related to the notifiable disease, as well as data for the identification of contact persons (name, telephone number, e-mail address, place of residence) and

5. data on the precautionary measures taken.

(5) For data processing pursuant to paras 2 to 4, the use of the name and the area-specific personal identifier GH shall be permitted.

(6) Any use of the data processed in the register may only be made in execution of this Federal Act, in execution of the Tuberculosis Act or in execution of the Zoonoses Act, Federal Law Gazette I No. 128/2005.

(7) The district administrative authority may, within the scope of its competence, process in a personalised manner all data of a person in the register that are related to a specific suspected case, case of illness or case of death for the purposes of surveys on the occurrence and the prevention and control of a notifiable disease under this Federal Act and under the Tuberculosis Act. Within the scope of his coordinating function under section 43(5) and (6), the governor may process in a personalised manner all data of a person in the register that are related to a specific suspected case, case of illness or case of death. If an expert has been appointed by the Federal Minister responsible for Veterinary Affairs pursuant to § 3 para. 7 of the Zoonoses Act or by the Federal Minister responsible for Health pursuant to § 5 para. 4 of this Federal Act to clarify zoonoses outbreaks or outbreak clusters involving more than one federal state, the expert may process all data of persons in the register that may be related to this zoonoses outbreak or outbreak cluster in a personalised manner, insofar as this is necessary to clarify this zoonoses outbreak or outbreak cluster. Transmission of personal data to third parties and further processing of personal data for other purposes shall not be permitted. The Federal Minister responsible for public health may process the data of a person in the register on a personal basis for the purpose of fulfilling the obligations under Articles 15 and 16 of the General Data Protection Regulation.

(8) The Federal Minister responsible for public health may process the data in the register in pseudonymised form for the purposes of epidemiological surveillance, quality assurance and to fulfil reporting obligations resulting from EU law. The Federal Minister responsible for health may use third parties as processors for this purpose. The district administrative authority and the governor of the province may process the data in the register in pseudonymised form for the purposes of epidemiological surveillance.

(9) The Federal Minister, Family and Youth responsible for the health sector shall ensure that any access to the register is only possible upon proof of unique identity (section 2 line 2 E-GovG) and authenticity (section 2 line 5 E-GovG). He/she must ensure that appropriate, state-of-the-art precautions are taken to prevent the destruction, modification or retrieval of the register's data by unauthorised users or systems, and that all usage processes carried out, such as, in particular, entries, modifications, retrievals and transmissions, are logged to the extent necessary.

(10) The confidentiality of data transmission shall be guaranteed by state-of-the-art encrypted transmission procedures.

(11) The data in the register shall be deleted as soon as they are no longer required for the fulfilment of the tasks of the district administrative authorities in connection with the survey on the occurrence and in connection with the prevention and control of a notifiable disease under this Federal Act and under the Tuberculosis Act.

(12) The district governor, the provincial governor and the federal minister responsible for health care shall be obliged to assign and document the access authorisation for the individual users individually. Authorised users shall be excluded from further exercising their access authorisation if they no longer require it for the further fulfilment of the tasks assigned to them or if they do not process the data in accordance with their intended purpose.

(13) The district administrative authorities and the governor of the province shall take organisational and technical precautions to ensure that, as a matter of principle, only employees of the authority have access to rooms in which the register can be accessed. If it is necessary that party transactions take place in rooms with access to the register, it must be ensured that it is not possible for outsiders to inspect the data of the register.

(14) If the communication technology device that enables access to the register is removed from the authority area, it must be ensured that unauthorised inspection and use is excluded.

(15) Laboratories shall fulfil their reporting obligation (§ 1 in conjunction with § 3 para 1 subpara 1a of this Federal Act and § 5 para 2 of the Tuberculosis Act) electronically by entering the report in the register. The Federal Minister responsible for health care shall specify details of these reports by decree.

(16) The Austrian Agency for Health and Food Safety as national reference centre and reference laboratory for tuberculosis shall fulfil its reporting obligation according to § 1 in connection with § 3 para 1 subpara 1a (laboratory findings) electronically by entering the report into the register. Furthermore, the results of resistance testing and typing shall be entered electronically into the register.

(17) The Federal Minister responsible for health care may provide by decree, in accordance with technical possibilities, that persons required to report under section 3(1)(1) may also fulfil their reporting obligation under section 1 electronically by entering the report in the register. In doing so, the data security measures provided for in paras. 12 to 14 shall be taken by the persons obliged to report.

Sections 1 and 2 of the Ordinance on Electronic Laboratory Reports read as follows:
(1) Laboratories within the meaning of this Ordinance are facilities that directly or indirectly diagnose pathogens of notifiable diseases in humans.

(2) Laboratories shall be obliged to comply with their notification obligation under section 3(1)(1a) of the Epidemics Act 1950, Federal Law Gazette No. 186/1950, as amended, electronically in the register of notifiable diseases.

3. The notification shall include the following types of data:
1. data for the identification of sick persons, deceased persons or persons who have left (name, sex, date of birth, place of residence, telephone number and e-mail address, if available, and national insurance number),

2. type of pathogen,

3. Material examined,

4. details of the research method,

5. details of the analytical result, in any case in the case of a pandemic with COVID-19 also all negative and invalid results and.

6th category of the sample.
(4) In the event of a technical failure of the registry, the notification shall be made within 24 hours by other appropriate means (e.g. by telephone).

(1) Electronic transmission shall be effected exclusively via an interface for laboratory information systems provided by the Federal Ministry of Health.

(2) Laboratories shall be obliged to use the respective valid version of the laboratory interface description provided by the Federal Ministry of Health for the transmission of data.

2. the right to confidentiality

2.1 Scope of application of the right to confidentiality
According to Section 1 (1) of the Data Protection Act, everyone has the right to confidentiality of personal data concerning him or her, insofar as there is an interest worthy of protection. The existence of such an interest is excluded if data is not accessible to a claim of secrecy due to its lack of traceability to the person concerned.

The GDPR and, in particular, the principles enshrined therein are to be used to interpret the right to confidentiality (cf. the decision of the DPO of 31 October 2018, GZ DPO D123.076/0003-DPO/2018).‑
In the case at hand, the scope of application of Section 1 (1) of the Data Protection Act is open, since the information relevant here - namely that the complainant's PCR test result is negative - indisputably relates to the complainant pursuant to Article 4 (1) of the Data Protection Regulation.

2.2 General information on the limitation of the right to confidentiality
Restrictions on the right to confidentiality are permissible under Section 1(2) DPA if personal data are used in the vital interest of the data subject, the data subject has given consent (or in the terminology of the GDPR: consent), if there is a qualified legal basis for the use, or if the use is justified by overriding legitimate interests of a third party.

2.3 On the negative test as a health date
Before reviewing the admissibility of the restriction of the right to confidentiality, however, it must be questioned whether a negative test - i.e. the finding that a person is not infected with SARS-CoV-2 (up to a certain point in time and with a certain probability) - also qualifies as a health date according to Art. 4 Z 15 DSGVO.

This is relevant because according to Section 1 (2) DSG and Art. 9 (1) DSGVO, the use of categories of data that are particularly worthy of protection by their nature is only permitted under strict conditions.
In this regard, it should first be noted that the wording of Art. 4(15) GDPR does not link a certain (minimum) impairment of physical or mental health, which argues in favour of a broad interpretation of the term "health data".

This is even clearer in Recital 35 of the Regulation, which states that personal data concerning health should include any data revealing information about the past, present and future physical or mental health status of the data subject.

These considerations are also covered by the case law of the ECJ, according to which the term "date of health" is to be interpreted broadly (cf. on the comparable legal situation under Directive 95/46 the judgement of the ECJ of 6 November 2003, C 101/01, Rs Lindqvist, para 50 f).

As an interim result, it must therefore be noted that (also) the negative test of the complainant is to be qualified as a health data pursuant to Art. 4 Z 15 GDPR and the scope of protection of Art. 9 para. 2 leg. cit. must be taken into account as a standard in the subsequent review of lawfulness. 

2.4 On the lawfulness of the data transfer
The disclosure of data relevant here - i.e. the transfer of the complainant's negative test to a district administrative authority - is not in the vital interest of the complainant, and consent is also not present. 
The facts of legitimate interest according to Art. 6 para. 1 lit. f DSGVO can also be used in the scope of protection of Art. 9 para. 2 leg. cit. cannot be invoked. 

However, the question arises whether there is a qualified legal basis, specifically a legal obligation on the part of the respondent to disclose the data relevant here.

A synopsis of the provisions of Article 9(1)(i) of the GDPR in conjunction with Article 3(1)(1), (1a) and (2) of the EpiG shows that the competent institution or, subsidiarily, the responsible laboratory that diagnoses the pathogen of a notifiable disease (such as the coronavirus) is obliged to notify the competent district administrative authority (as public health authority). In order to fulfil this legal obligation, it is therefore necessary (and thus permissible) for the respective agency to submit an official notification of a positive PCR test. 

In the case in question, however, an official report was submitted on a negative PCR test. 
The obligation to submit an official report on a negative PCR test cannot be derived from the wording of Section 3(1)(1) and (1a) EpiG. 

The obligation to submit an official notification specified in § 3 para. 1 EpiG may, however, be extended by the Federal Minister of Health pursuant to § 1 para. 2 leg. cit. may be extended by the Federal Minister of Health if this is justified for epidemiological reasons or required due to international obligations.

This possibility to extend the reporting obligations was used in the context of the current pandemic around COVID-19:
The Ordinance of the Federal Minister of Health concerning electronic laboratory reports in the register of notifiable diseases, Federal Law Gazette II No. 184/2013 as amended, was amended by Federal Law Gazette II No. 323/2020 to the effect that, pursuant to its § 1 para 3, facilities are obliged to also transmit all negative and invalid results to the district administrative authority in the event of a pandemic with COVID-19. 

The regulation relevant here, which extended the reporting obligation, is based on the legal basis of Section 3 (1) EpiG and equally binds the respective medical institutions. Moreover, according to the first sentence of recital 41 of the GDPR, a legal basis, on which (the here relevant) Art. 9(2)(i) of the GDPR is based, does not necessarily have to be based on a legislative act adopted by a parliament. 

Furthermore, there are no concerns with regard to the requirement of determinacy of normative provisions:
In contrast to the Vienna Contact Tracing Ordinance objected to by the data protection authority (see the decision of 19 November 2020, GZ 2020-0.743.659), the scope and application of Section 3(1) of the EpiG in conjunction with Section 1(3) of the above-mentioned Ordinance of the Minister of Health are clear and precise. 3 of the aforementioned Ordinance of the Minister of Health are clear and precise, and it is clear to data subjects from the wording of these standards that negative and invalid PCR tests are also covered by the obligation to report to the district administrative authority (cf. recital 41, second sentence of the GDPR). 

The extension of the reporting requirement of Section 3(1) of the EpiG is also expedient for combating COVID-19, as the data material (i.e. country- and federation-specific information on negative and invalid PCR tests) is relevant for targeting the pandemic strategy - especially the testing strategy.
Although this was not objected to by the complainant, it must also be pointed out - with due brevity - that the standards of the EpiG and the cited ordinance of the Minister of Health also contain requirements with regard to purpose limitation, data minimisation and data security. 

Furthermore, a PCR test (i.e. the determination of whether a person is infected) is not a special data processing operation - such as profiling pursuant to Art. 4(4) of the GDPR - so that it cannot be assumed that the standard for national norms contained in Art. 9(2)(i) of the GDPR would be violated. cit. to standardise "adequate and specific protection measures" would be violated.

3. result
Against the background of all these considerations, the data protection authority therefore comes to the conclusion that the transfer of data relevant here can be based on the legal obligation of the respondent to also transfer negative PCR test results to the competent district administrative authority, which is standardised in § 3 para. 1 EpiG in connection with § 1 para. 3 of the aforementioned ordinance of the Minister of Health.

The disclosure of data relevant here therefore proves to be lawful and no violation of the complainant's right to confidentiality is to be assumed.

Therefore, the decision had to be in accordance with the ruling.

The question of whether it was admissible that the competent district administrative authority subsequently informed about the negative test result by text message did not have to be addressed, as this was no longer covered by the subject matter of the complaint.

European Case Law Identifier
ECLI:AT:DSB:2021:2021.0.101.211