Recent decisions of the Austrian Data Protection Authority (DPA)
1. The transmission of a negative PCR test result to the health authority (15.2.2021, 2021-0.101.211):
The DPA had to deal with the admissibility under data protection law of the transmission of a negative PCR test result to a health authority.
The complainant undertook a voluntary PCR test with the respondent, as the operator of a laboratory. The test result was negative. Later, the complainant found out that the respondent had forwarded the negative test result to the competent health authority, which, according to the complainant, had been done unlawfully.
The basic question to be examined was whether the information about a negative PCR test result of a certain person falls within the scope of protection of Art 9 GDPR. It had to be noted that the legal definition of "health data" in Art 4 no 15 GDPR is not linked to a certain (minimum) impairment of physical or mental health. This becomes even clearer in recital 35 of the GDPR, according to which personal health data should include all data from which information on the past, present and future physical or mental state of health of the data subject is obtained. The European Court of Justice also interprets the term "health data" broadly ( ECJ, 6.11.2003, C 101/01 [Lindqvist], on the comparable legal situation under Directive 95/46/EC). Therefore, the protection regime of Art 9 (2) GDPR had to be (also) observed for the assessment of the data transfer relevant here.
With regard to legality, it had to be noted that Article 9 (1) lit i GDPR in conjunction with § 3(1) no 1, 1a and 2 of the Austrian Epedemic Law ("Epidemiegesetz") do not impose an obligation to submit an official report on a negative PCR test. However, the obligation to submit an official report pursuant to § 1 (2) of the Austrian Epedemic Law may be extended by the Federal Minister of Health if this is justified for epidemiological reasons or required due to international obligations. This possibility to extend the reporting obligations was used in the context of the current pandemic. Therefore, § 1 (3) of the Regulation issued by the Federal Minister of Health on electronic laboratory reports to the register of notifiable diseases was amended to the effect that the facilities are obliged to also transmit all negative and invalid results to the competent health authority in the event of a pandemic with COVID-19. The relevant regulation here, which extended the reporting obligation, is based on the legal basis of § 3 (1) of the Austrian Epedemic Law and binds the respective medical institutions in the same way. Moreover, according to the first sentence of recital 41 of the GDPR, a legal basis, on which (the here relevant) Art 9(2) lit i GDPR is based, does not necessarily have to be based on a legislative act adopted by a parliament. A PCR test (i.e. the determination of whether a person is infected) is not a special data processing operation - such as profiling pursuant to Article 4 no 4 GDPR - so that it cannot be assumed that the standard set out in Article 9 (2) lit i of the Regulation for national norms to standardise "adequate and specific protection measures" would be violated.
The extension of the reporting requirement of § 3 (1) of the Austrian Epedemic Law is also appropriate in the fight against COVID-19, as the data material (i.e. country- and federation-specific information on negative and invalid PCR tests) is relevant for the orientation of the pandemic strategy - especially the testing strategy. The DPA therefore came to the conclusion that the transmission of a negative PCR test result to the competant health authority is permissible.
The decision is legally binding.
2. Requirement to file a complaint (9.3.2021, 2021-0.157.107):
The DPA had to deal with the question of whether it is permissible under data protection law to require a guest to fill out a questionnaire to determine his or her health condition before being allowed to remain in a hotel. The guest, however, had never filled in this questionnaire.
The complainant booked a stay at the respondent's hotel. The complainant was asked to fill in a physical questionnaire as he entered the hotel. According to the respondent, the questionnaire was used "to reduce the risk of infectious diseases" related to the coronavirus. It asked for symptoms which, according to current scientific evidence, were associated with the coronavirus. However, the complainant did not fill out this questionnaire, but crossed it out. Consequently, no data was collected from him.
Based on these facts, it had to be noted that a requirement for filing a complaint with the DPA is data processing (cf. Art. 4 no 1 GDPR) and a violation of rights is alleged as a result of the data processing that took place. Data processing that was planned but ultimately did not take place is not amenable to a complaint under Art 77 GDPR in conjunction with § 24 of the Austrian Data Protection Act. This is already indicated by the wording of Art 77 (1) GDPR and § 24 (1) of the Austrian Data Protection Act, according to which a complaint can only be filed if the data subject is of the opinion that the processing of personal data concerning him or her violates the GDPR (and not "will violate" or "could violate"). A review by the DPA and the courts also takes into account the fact that a complaint procedure serves to assert subjective rights. Thus, it is a fundamental requirement that the legal position of the data subject is or has been directly affected by a misconduct of the controller.
However, a complaints procedure does not serve the purpose of reviewing the compliance with objective obligations by a controller without the non-compliance manifesting itself in an impairment of subjective legal positions (cf. on data security measures the decision of 13.9.2018, DSB-D123.070/0005-DSB/2018). The complainant also failed to allege that not completing the questionnaire would be associated with a disadvantage for the complainant (such as the respondent's refusal to conclude an accommodation contract). As a result, the complaint had to be dismissed.
The decision is not yet legally binding.
Article provided by: Clemens Thiele (Eurolawyer, Austria)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)