In its decision of August 5, 2021, the DSB had to deal with the procedures of a district administrative authority (respondent) regarding several confirmed SARS-CoV-2 cases at a school.
The cases of infection affected various school classes and floors, which is why the respondent requested the names, addresses, dates of birth and cell phone numbers of the students, teachers and administrative staff. This data was subsequently fed into a web tool for the organizational management of the tests. As a result, the complainant, a student who had not been classified as a contact person to a person who tested positive, received a text message offering voluntary PCR testing. As a result, he considered his right to confidentiality to have been violated. The DSB dismissed the complaint as unfounded.
The respondent based the data processing on the data protection provisions set forth in sec. 5 para. 1 EpiG and was not opposed to this view:
The wording of this very provision focuses, among other things, on those suspected of having the disease or being infected, and the procedure serves to identify the source of the disease. The competent authority is thus granted a wide margin of discretion, which the respondent in any case did not exceed in this case.
The decision is legally binding.