On 25 March 2021, the Austrian DPA (“DSB”) published a decision finding that the processing and sharing of data with third parties relating to a negative COVID-19 result had been lawful, following a complaint from an individual against a medical center alleging the violation of the individual’s right to confidentiality.
In particular, the DSB underlined that restrictions to said right are permitted if personal data is processed for the vital interests of the data subject, the data subject has given their consent, if there is an adequate legal basis for the processing, or if the processing is justified by giving effect to the overriding legitimate interests of the third party.
In this respect, the DSB concluded that a negative COVID-19 result falls under the broad definition of “health data” and under the scope of Article 9 (2) of the GDPR. In addition, the DSB found the processing and the sharing of the negative test result to be lawful as it took place for the fulfillment of the respondent’s legal obligation to share negative COVID-19 PCR test results with the district administrative authority.
The DSB’s decision is available here (only in German).