Data Privacy Compliance in the Cloud
Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

Recent decisions of the Austrian Data Protection Authority (2/3)


This article presents the second out of three interesting decisions on Austrian data protection law, in particular dealing with confirmation of the remedial measures taken during a consultation pursuant to Art 36 GDPR, the right to deletion pursuant to Art 17 GDPR and an evaluation of a data controller.

2. No right to deletion from a doctor search and assessment portal - Case no. D123.527/0004-DSB/2018

In its decision of 15 January 2019 othe Austrian data protection authority had to decide whether the respondent, who operates a doctor search and evaluation portal, had a right to refuse to comply with the request for deletion made by a doctor who requested the complete deletion of all his data, including evaluations and experience reports, from this portal.

The data protection authority initially stated that the linking of data pursuant to § 27 para 1 no 1 to 17 ÄrzteG 1998 (Austrian Act on the Medical Professions of 1998) with the possibility of submitting an assessment as well as a report on the experiences of a (new) processing activity that requires a permitted fact. In this regard, the respondent relied on legitimate interests pursuant to Art. 6 para 1 lit f GDPR, which is why a balancing of interests had to be carried out. In this balancing of interests, it was first necessary to take into account that the respondent had implemented appropriate protective measures so that objectively unjustified comments were reported and multiple evaluations - as far as technically possible - were prevented. The complainant is therefore not exposed to the evaluations without protection, which is why no pillory effect is recognizable.

In addition, the professional activity is to be classified as belonging to the social sphere, which is why it can be assumed that it is less worthy of protection than if data were to be classified as belonging to the "intimate or confidential sphere". On the other hand, patients had a legitimate interest in obtaining information on medical services, especially as there is a free choice of doctors in Austria. A search and evaluation portal, such as the one operated by the respondent, enables people who occasionally do not know each other to exchange information simply and efficiently on a specific topic and enables people to use such a portal as an additional search and information source for medical care and health services. In this context, the data protection authority came to the conclusion that the legitimate interests of the portal users (the patients) predominate over the stated impairments of the legitimate interests of the complainant, which is why the respondent rightly did not comply with the request for deletion and the complaint was therefore rejected. This decision is legally binding.


Article provided by: Hon.-Prof. Dr. Clemens Thiele, LL.M. (EUROLAWYER, Austria)

Previous article: 2. No right to confirmation of the remedial measures taken during a consultation pursuant to Art 36 GDPR – Case no. D485.001/0003-DSB/2018


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Hö



53 lawyers from 33 countries are contributing to the project “Cloud Privacy Check (CPC)” in 26 different languages.

Understanding the complexity of current European data protection laws and regulations is already difficult enough for an IT engineer, buyer, or business user. In combination with the often small but nevertheless significant differences between various EU member states, however, it can become an almost insurmountable challenge without proper juristic accompaniment from the very start... Read More



The CPC is a trusted, not-for-profit international network of qualified professionals who deliver simplified and straight-forward guidance to help navigate the legal and regulatory environment relating to privacy and the cloud. This is done through collective know-how, research and market analysis gained from pan-European industry activity, collaboration and experience. Our mission is to provide authoritative views, information and practical solutions to two principal stakeholders: industry professionals and public authorities.