The Austrian data protection authority ('DSB') published, on 25 April 2022, a summary of its decision No. 2021-0.785.022 (D124.4309), as issued on 27 January 2022, in which it found that a respondent was not responsible under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') for a control system concerning access to employee vaccination data, following a complaint by an employee.

Background to the case

In particular, the DSB highlighted the complainant filed their concerns claiming that two of the defendant's employees had unauthorised access to their medication and vaccination data, noting that access to their data took place without their knowledge. Furthermore, the DSB outlined the claimant's argument all employees must sign a non-disclosure agreement and privacy policy at the beginning of the employment relationship, that no data would be forwarded to third parties.

Findings of the DSB

Nonetheless, the DSB found that although an employee of the respondent had accessed medication and vaccination data for their own purposes, the DSB considered that an effective control system relating to such data does not require constant supervision by the respective employee. More specifically, the DSB noted that the employee of the complainant was the controller of the data processing in question pursuant to Article 4(7) of the GDPR, and therefore the complainant should have directed their claims to them, as opposed to the respondent in question.

Outcomes

In conclusion, the DSB found that the data access was not due to a lack of control measures, dismissing the appeal of the claimant.

You can read the decision, only available in German, here.