Skip to main content

Recent decisions of the Austrian Data Protection Authority (2/3)


This article presents the second out of three interesting decisions on Austrian data protection law, in particular dealing with confirmation of the remedial measures taken during a consultation pursuant to Art 36 GDPR, the right to deletion pursuant to Art 17 GDPR and an evaluation of a data controller.

2. No right to deletion from a doctor search and assessment portal - Case no. D123.527/0004-DSB/2018

In its decision of 15 January 2019 othe Austrian data protection authority had to decide whether the respondent, who operates a doctor search and evaluation portal, had a right to refuse to comply with the request for deletion made by a doctor who requested the complete deletion of all his data, including evaluations and experience reports, from this portal.

The data protection authority initially stated that the linking of data pursuant to § 27 para 1 no 1 to 17 ÄrzteG 1998 (Austrian Act on the Medical Professions of 1998) with the possibility of submitting an assessment as well as a report on the experiences of a (new) processing activity that requires a permitted fact. In this regard, the respondent relied on legitimate interests pursuant to Art. 6 para 1 lit f GDPR, which is why a balancing of interests had to be carried out. In this balancing of interests, it was first necessary to take into account that the respondent had implemented appropriate protective measures so that objectively unjustified comments were reported and multiple evaluations - as far as technically possible - were prevented. The complainant is therefore not exposed to the evaluations without protection, which is why no pillory effect is recognizable.

In addition, the professional activity is to be classified as belonging to the social sphere, which is why it can be assumed that it is less worthy of protection than if data were to be classified as belonging to the "intimate or confidential sphere". On the other hand, patients had a legitimate interest in obtaining information on medical services, especially as there is a free choice of doctors in Austria. A search and evaluation portal, such as the one operated by the respondent, enables people who occasionally do not know each other to exchange information simply and efficiently on a specific topic and enables people to use such a portal as an additional search and information source for medical care and health services. In this context, the data protection authority came to the conclusion that the legitimate interests of the portal users (the patients) predominate over the stated impairments of the legitimate interests of the complainant, which is why the respondent rightly did not comply with the request for deletion and the complaint was therefore rejected. This decision is legally binding.


Article provided by: Hon.-Prof. Dr. Clemens Thiele, LL.M. (EUROLAWYER, Austria)

Previous article: No right to confirmation of the remedial measures taken during a consultation pursuant to Art 36 GDPR – Case no. D485.001/0003-DSB/2018

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.