In the decision of June 10, 2021 GZ: 2021-0.404.151, the DSB had to deal with the accusation of unauthorized inspection of the electronic vaccination certificate of a person concerned by a physician.
The respondent is a physician in private practice and runs an office. The respondent and the complainant are known to each other, as the complainant’s sister-in-law is an employee of the respondent. The Respondent’s employee informed the Respondent that a family party was planned for the weekend. Thereupon, the respondent inspected the electronic vaccination record on data of the complainant.
By way of justification, the respondent stated that it had succeeded in keeping Covid-19 infections out of the ordination since the beginning of the pandemic. After it had become known that clusters frequently occurred after family celebrations, she had carried out a risk assessment for herself and her employee by consulting the vaccination record. The respondent therefore relied on an overriding legitimate interest.
However, the data viewed is health data according to Art. 4 Z 15 DSGVO. These apply in accordance with Art. 9 para. 1 GDPR as a special category of personal data and may only be used in the ways described in para. 2 DSGVO are processed. Compared to the justifications of Art. 6 para. 1 DSGVO, the admissibility criteria of “processing in the legitimate interest of the controller or a third party” (Art. 6 (1) (f) DSGVO) and “processing for the performance of a contract” (Art.6 Para.1 lit. b GDPR).
Since the right set forth in Art. 6 para. 1 lit. f GDPR is not covered by Art. 9(f) of the GDPR. 2 GDPR, the invocation of this ground for exclusion was consequently inadmissible. The complaint was therefore upheld and it was found that the complainant’s right to confidentiality had been violated.
This decision is not legally binding.