DPA on unauthorised inspection of electronic vaccination certificate
The Data Protection Authority (DPA) examined an allegation of unauthorised inspection of a data subject's electronic vaccination record by a doctor.
The complainant, who is also the sister-in-law of the defendant, is an employee of the medical practice run by the defendant. The employee (complainant) informed the doctor (defendant) that a family celebration was planned for the weekend. The doctor used this information as an opportunity to inspect the employee's electronic vaccination certificate. As justification for the inspection, the defendant stated that corona clusters frequently occur after family celebrations, which is why she carried out a risk assessment for herself and her employee and thus relied on an overriding legitimate interest.
The data of the complainant were health data pursuant to Article 4 no 15 of the General Data Protection Regulation (GDPR), which can only be processed in the cases mentioned in Art 9 para 2. In contrast to the justification grounds under Art 6 para 1 of the GDPR, the admissibility grounds under Art 6 para 1 lit f of the GDPR (processing in the legitimate interest of the person responsible or a third party) and Art 6 para 1 lit b of the GDPR (processing for the performance of a contract) are missing. The justification ground under Art 6 para 1 lit f of the GDPR is not covered by Art 9 para 2 of the GDPR. Consequently, the invocation of this ground for exclusion was inadmissible.
The DPA upheld the complaint and found that the complainant's right to confidentiality had been violated.
2021-0.404.151 (D124.4082) (10.06.21)
Efficient Legal Information 
Legal Jobs 
Innovative LegalTech Solutions