Recent decisions of the Austrian Data Protection Authority (2/3)

26.08.2019

This article presents the second out of three interesting decisions on Austrian data protection law, in particular dealing with confirmation of the remedial measures taken during a consultation pursuant to Art 36 GDPR, the right to deletion pursuant to Art 17 GDPR and an evaluation of a data controller.

2. No right to deletion from a doctor search and assessment portal - Case no. D123.527/0004-DSB/2018

In its decision of 15 January 2019 othe Austrian data protection authority had to decide whether the respondent, who operates a doctor search and evaluation portal, had a right to refuse to comply with the request for deletion made by a doctor who requested the complete deletion of all his data, including evaluations and experience reports, from this portal.

The data protection authority initially stated that the linking of data pursuant to § 27 para 1 no 1 to 17 ÄrzteG 1998 (Austrian Act on the Medical Professions of 1998) with the possibility of submitting an assessment as well as a report on the experiences of a (new) processing activity that requires a permitted fact. In this regard, the respondent relied on legitimate interests pursuant to Art. 6 para 1 lit f GDPR, which is why a balancing of interests had to be carried out. In this balancing of interests, it was first necessary to take into account that the respondent had implemented appropriate protective measures so that objectively unjustified comments were reported and multiple evaluations - as far as technically possible - were prevented. The complainant is therefore not exposed to the evaluations without protection, which is why no pillory effect is recognizable.

In addition, the professional activity is to be classified as belonging to the social sphere, which is why it can be assumed that it is less worthy of protection than if data were to be classified as belonging to the "intimate or confidential sphere". On the other hand, patients had a legitimate interest in obtaining information on medical services, especially as there is a free choice of doctors in Austria. A search and evaluation portal, such as the one operated by the respondent, enables people who occasionally do not know each other to exchange information simply and efficiently on a specific topic and enables people to use such a portal as an additional search and information source for medical care and health services. In this context, the data protection authority came to the conclusion that the legitimate interests of the portal users (the patients) predominate over the stated impairments of the legitimate interests of the complainant, which is why the respondent rightly did not comply with the request for deletion and the complaint was therefore rejected. This decision is legally binding.

 

Article provided by: Hon.-Prof. Dr. Clemens Thiele, LL.M. (EUROLAWYER, Austria)

Previous article: 2. No right to confirmation of the remedial measures taken during a consultation pursuant to Art 36 GDPR – Case no. D485.001/0003-DSB/2018

 

Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Höllwarthtobias.hoellwarth@eurocloud.org

VIEW PROJECT

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.