In its decision of November 15, 2022, the data protection authority had to assess the lawfulness of a query of eMedication data and evaccination data by a physician (respondent). In the present case, it was not the complainant but his minor son who was a patient of the respondent. The son was co-insured with both his mother and the complainant. After the complainant discovered that, according to the ELGA query log, both his eMedication data and his evaccination passport data had been retrieved by the respondent, even though he had not received treatment from the respondent at any time, he felt that his right to confidentiality § 1 DSG had been violated. In the course of an extensive investigation, the data protection authority was able to determine that when the eCard of a co-insured minor is inserted, not only the minor’s own data but also the names of the main insured are displayed. For billing with the respective social insurance agency, one of the main insured persons must be selected, in which case their file is automatically opened by the software and (depending on the setting) either the treatment or master data sheet is displayed. A corresponding note is already made in the ELGA query log as soon as the treatment or master data sheet is clicked, but a view requires another click and opening of the respective data. In this case, the complainant was mistakenly clicked on instead of the mother who had accompanied the son, which resulted in the notes that are the subject of the complaint, without the eMedication data and evaccination data actually being viewed. The appeal was therefore dismissed as unfounded, and the decision is final.
Source: DSB Austria