In the decision of August 8, 2018, GZ: DSBD084.133/0002-DSB/2018, the DPA had dealt with the conditions under which the data protection authority may require data controllers to submit a declaration pursuant to Art. 34 para. 1 of the GDPR, the data subject must be informed of this fact. The person in charge reported to the data protection authority that a narcotic drug book had been lost, which contained the name, physical health condition and the amount of narcotic drug administered to about 150 patients in uncoded form. In the present case, the responsible party assumed that the patients concerned did not have to be notified Selected decisions of the DSB www.dsb.gv.at dsb@dsb.gv.at DSB Newsletter 4/ 2018 3 because there was no high risk for them. In particular, the processed data in the “wrong hands” could allow exposure or identity theft/fraud only with a great deal of research. The DPO took a different view and ordered the responsible party to notify the data subjects. This was justified by the fact that the narcotics book also contained health data pursuant to Art. 4 Z 15 DSGVO. A high risk to the rights and freedoms of data subjects exists in any case when special categories of data, including health data, are processed extensively. Exceptions to the notification requirement under Art. 34 para. 3 GDPR were not present. This decision is legally binding.