Austria: DSB considers negative COVID-19 result as health data and finds sharing of data lawful
The Austrian data protection authority ('DSB') published, on 25 March 2021, a decision finding that the processing and sharing of data with third parties in relation to a negative COVID-19 result had been lawful. In particular, the complaint was made by an individual against a medical centre alleging that the processing and sharing of data with third parties on a negative COVID-19 test violated the individual's right to confidentiality. In addition, the DSB highlighted that restrictions to said right are permitted if personal data is processed for the vital interests of the data subject, the data subject has given their consent, if there is an adequate legal basis for the processing, or if the processing is justified by giving effect to the overriding legitimate interests of the third party. More specifically, the DSB found that a negative COVID-19 result falls under the broad definition of 'health data' and under the scope of Article 9(2) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Further to this, the DSB considered that the processing and the sharing of the negative test result was lawful as it took place for the fulfilment of the respondent's legal obligation to share negative COVID-19 PCR test results with the district administrative authority.
You can read the decision, only available in German, here.