By Dave McKay | December 26, 2021
Austrian Data Protection Authority Fines Individual for Data Breach
The Austrian Data Protection Authority, the Österreichische Datenschutzbehörde (DSB), has issued a fine to an individual under GDPR law. The fine is €600.00. If it is irrecoverable, the individual will face 36 hours imprisonment.
The facts of the case revolve around two individuals, person A, a kindergarten teacher, (the victim) and person B (the offender). Person A took sick leave in 2013 and 2014. They said that the root cause of their inability to be in work was—somehow—caused by person B. Person A’s employer, a municipality, approached person B and sad they may be coming after them for damages.
Some time later, Person B obtained medical records—which count as special category data—belonging to Person A which, in their mind, showed that person A’s health issues were a pre-existing condition. They shared the documents with the municipality. That was the action which the DSB ruled as a breach of GDPR.
There’s two big points here. One is that data processing by a private individual can be governed by the rules of the GDPR, or in the U.K.’s case, the version of GDPR contained in the Data Protection Act 2018. Depending on the type of data and the purposes of the processing, data processing by an individual—not just by organizations—can be governed by GDPR.
The second point is that whilst article 9(2)(f) of the GDPR allows the processing of special category data for purposes of the establishment, exercise or defence of legal claims, article 9(2)(f) this doesn’t apply in this case.
The municipality had taken no further steps to claim damages from the controller since September 2014 and the claim had already been time-barred under § 1489 General Civil Code (Allgemeines Bürgerliches Gesetzbuch (ABGB) since more than three years had passed since the event that allegedly caused the damage:
§ 1489.Every action for compensation is statute-barred three years from the time at which the damage and the person who caused the damage became known to the damaged person, the damage may have been caused by breach of a contractual obligation or without any relation to a contract. If the damaged person is not aware of the damage or the person who caused the damage, or if the damage is the result of one or more judicial criminal acts that can only be committed willfully and are threatened with a prison sentence of more than one year, the right of action only expires after thirty years.
The upshot of all of that is that Person B’s only recourse to be allowed to share the private medical data of Person A, was obtaining consent from Person A. Which of course, they didn’t do.
GDPR and DPA 2018 are complex legislature. If you have any doubts or questions about your organization’s data processing activities, contact us and we’ll happily discuss them with you.
Source: GDPR Hub