Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Austria: Federal Administrative Court upholds DSB decision regarding lack of knowledge of obligations under GDPR
On June 3, 2024, the Federal Administrative Court of Austria issued its decision in Case No. W2922282284 - 1/10 E, in which it partially upheld the decision of the Austrian data protection authority (DSB) in decision no. D550.853 / 2023-0.749.445, dated November 2, 2023, in which it had imposed a fine of €6,000 on the appellant in the present case, a practicing specialist in psychiatry and psychotherapy, for the unlawful disclosure of personal data in violation of the General Data Protection Regulation (GDPR). The Court, while partially upholding the decision, reduced the fine to €4,000 in addition to costs.
Background to the decision
The appellant was held in breach of Article 9(1) of the GDPR by disclosing personal data, including the sensitive personal data of 28 patients, in a group message. The DSB also held that the appellant did not take appropriate technical and organizational measures in violation of Articles 25(1) and 25(2) of the GDPR. Additionally, the appellant did not comply with the data protection principles of data minimization, integrity, and confidentiality, in violation of Articles 5(1)(c) and 5(1)(f) of the GDPR. The DSB further found that the appellant did not retain records of processing activities in accordance with Article 30 of the GDPR. Finally, the appellant did not notify the DSB of the breach as per Article 33(1) of the GDPR.
The appellant argued that its employees were not aware that data breaches must be reported to the authorities and that a notification was not necessary since the DSB was already informed about the breach through third parties.
Findings of the Court
The Court rejected the appellant's arguments and stated that the appellant was responsible for informing the DSB of the data breach and complying with the provisions of the GDPR.
Outcomes
In light of the above, the Court dismissed the appeal as unfounded and reduced the fine to €4,000 in addition to costs.
You can read the decision, only available in German, here.