In its decision of January 27, 2022, the data protection authority dealt with the legality, the controller status and the concept of a control system when an employee of the respondent carries out Elga queries in her own interest.
The complainant alleged that there was unauthorized access to his medication and immunization status data by two female employees of the respondent. The respondent argued that the accesses had taken place without its knowledge. Furthermore, no printouts had been made or data forwarded to third parties. Also, all employees would have to sign a non-disclosure agreement, including a privacy policy, at the beginning of their employment.
In the case at hand, it was clear from the file that the complainant wanted to take action against the respondent itself. Against this background, however, the employee who carried out the queries in the Elga file is to be qualified as a controller within the meaning of Art. 4(7) of the GDPR, and a complaint would have had to be directed against this natural person himself.
Furthermore, taking into account the established case law of the VwGH (cf. 07.03.2016, Ra 2016/02/0030), it was stated that an effective control system does not require the constant supervision of the employee, so that there were no indications that the data accesses in question had been made possible by a lack of control measures on the part of the respondent. The complaint therefore had to be dismissed. The decision is not legally binding.
Source: DSB Austria