DSB (Austria) - 2025-0.968.031
Facts — A data subject published a post concerning their ADHD diagnosis on a publicly accessible online forum under a pseudonym. A person (the controller) who was a follower of the data subject and had previously been in personal contact with them, knew that the pseudonym belonged to the data subject. The controller subsequently sent a WhatsApp message to a mutual acquaintance stating that the data subject had received an ADHD diagnosis and included a link to the forum post. The data subject lodged a complaint with the Austrian DPA (DSB), arguing that their health data had been disclosed to a third party. They alleged that the controller by forwarding the pseudonymous forum profile, had unequivocally linked it to their real identity. Holding — The DPA held that the data subject was identifiable to the controller as regards the publication of the forum post under her profile name. Since the post also included information concerning her gender, age and diagnosis, it concluded that it constituted her personal data under Article 4(1) GDPR. The DPA further held that the prohibition on processing special categories of personal data under Article 9(1) GDPR did not apply because the data subject had manifestly made their health data public within the meaning of Article 9(2)(e) GDPR. It reasoned that actively disclosing the ADHD diagnosis in a publicly accessible forum constituted an unambiguous and conscious act by which the data subject made the information available to the public. The DPA therefore dismissed the complaint as unfounded.
How it connects
Related across sources
Full text
Text File No.: 2025-0.968.031 of December 3, 2025 (Case No.: DSB-D124.3813/25) [Note from editor: Names and companies, legal forms and product names, addresses (including URLs, IP and email addresses), file numbers (and the like), statistical data, etc., as well as their initials and abbreviations may have been abbreviated and/or altered for pseudonymization purposes. Obvious spelling, grammar, and punctuation errors have been corrected.] DECISION RULING The Data Protection Authority decides on the data protection complaint of Huberta A*** (complainant) of October 31, 2025, against Franz N*** (respondent) for violation of the right to confidentiality as follows: - The complaint is dismissed as unfounded. Legal basis: Articles 4, 9(1) and (2)(e), 51(1), 57(1)(f) and 77(1) of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119 of 4.5.2016, p. 1; Sections 18(1) and 24(1) and (5) of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended. Legal basis: Articles 4, 9(1) and (2), letter e, 51(1), 57(1), letter f, and 77(1) of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), Official Journal No. L 119 of 4 May 2016, page 1; Sections 18(1) and 24(1) and (5) of the Data Protection Act (DSG), Federal Law Gazette Part One, No. 165 of 1999 as amended. JUSTIFICATION A. Findings of Fact Based on the investigation conducted, in which the parties to the proceedings were given the opportunity to comment, the following facts are established. 1. On October 31, 2025, the complainant filed a complaint with the Data Protection Authority. In it, she stated that the respondent's forwarding of her anonymous profile on the "DZeitung" website to a third party via WhatsApp message had clearly linked her to her real identity. This, she claimed, had resulted in her health data being disclosed to a third party. Evaluation of Evidence: This finding is based on the complainant's initial submission of October 31, 2025. 2. The complainant opened a forum on the "DZeitung" website entitled "[Editor's Note: exact name removed for pseudonymization purposes, includes the diagnosis ADHD]". Since the respondent and the complainant had previously been in personal contact and he was a follower of hers, he was aware that the pseudonym "HUBERTA***" belonged to the complainant. Because he was a follower of hers, the forum post with her pseudonym was displayed to him. Evaluation of evidence: The findings are based, on the one hand, on the undisputed submissions of the parties to the proceedings, on the other hand, on an official search of the website "dzeitung.at", and on the other hand, on the other hand, on the screenshot of the complainant's forum post submitted in the respondent's statement of November 20, 2025. 3. On October 6, 2025, the respondent sent a WhatsApp message to a mutual acquaintance with the following content: "Huberta got an ADHD diagnosis? xD", along with the link to the forum post at issue in these proceedings. [ ] ] , . ... Assessment of Evidence: This finding is based on the screenshot of the WhatsApp message dated October 6, 2025, which was attached to the complainant's initial submission. The respondent did not dispute this. B. Subject Matter of the Complaint Based on the complainant's submissions, the subject matter of the complaint is whether the complainant's right to privacy was violated by the respondent forwarding her profile on the website "DZeitung" and, in connection therewith, the message "Huberta got an ADHD diagnosis? xD" to a third party. C. Legally, this leads to the following conclusions: C.1. Regarding the Qualification of the Forum Post as Personal Data "Personal data" within the meaning of Article 4(1) GDPR means, in any event, any information relating to an identified or identifiable natural person; An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. "Personal data" as defined in Article 4(1) of the GDPR means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Personal data, as defined in Article 4(1) of the GDPR, means any information relating to an identified or identifiable natural person. The term “information” according to Art. 4 No. 1 GDPR is to be interpreted broadly and includes “both personal information used in context, such as identifying characteristics (e.g. name, address and date of birth), external characteristics (such as gender, eye color, height and weight) or internal states (e.g. opinions, motives, wishes, beliefs and value judgments), as well as factual information such as financial and property circumstances, communication and contractual relationships and all other relationships of the data subject with third parties and their environment” (Klar/Kühling in Kühling/Buchner, GDPR Commentary (2017), para. 8 et seq. on Art. 4). Economic data is also considered personal data (VfSlg 12.228/1989, 12.880/1991, 16.369/2001). The term "information" according to Article 4, paragraph 1, GDPR is to be interpreted broadly and includes "both personal information used in context, such as identifying characteristics (e.g., name, address, and date of birth), external characteristics (such as gender, eye color, height, and weight), or internal states (e.g., opinions, motives, desires, beliefs, and value judgments), as well as factual information such as financial and property circumstances, communication and contractual relationships, and all other relationships of the data subject with third parties and their environment" (Klar/Kühling in Kühling/Buchner, GDPR Commentary (2017), para. 8 et seq. on Article 4). Economic data is also considered personal data (VfSlg 12.228 from 1989, 12.880 from 1991, 16.369 from 2001). With regard to Article 2(a) of Directive 95/46/EC, the CJEU has already established that the term "personal data" is to be understood broadly. Accordingly, the term is not limited to sensitive or private information, but potentially encompasses all types of information, both objective and subjective, in the form of opinions or assessments, provided that it concerns information "about" the person in question (see the CJEU judgment of 20 December 2017, Case C-434/16, Nowak). According to the case law of the CJEU, the term "personal data" must therefore be interpreted broadly. With regard to Article 2(a) of Directive 95/46/EC, the CJEU has already established that the term "personal data" is based on a broad understanding. Accordingly, the term is not limited to sensitive or private information, but potentially encompasses all types of information, both objective and subjective, in the form of opinions or assessments, provided that it concerns information "about" the person in question (see the CJEU judgment of 20 December 2017, Case C-434/16, Nowak). However, the question remains as to for whom the person must be identifiable in order for data to be considered personal data. Recital 26 of the GDPR states that for a data set to qualify as personal data, it is not necessary for the controller to be able to carry out the identification themselves, but it is sufficient that any third party is likely to be able to do so, taking into account costs and time expenditure as well as the available technology and technological developments (see also Klabunde in Ehmann/Selmayr, GDPR, Commentary 2 [2018], Art. 4 para. 17; see also the judgment of the CJEU of 19 October 2016, C-582/14). However, it remains questionable for whom the person must be identifiable in order for data to be considered personal data. Recital 26 of the GDPR states that for a data set to qualify as personal data, it is not necessary for the controller to be able to carry out the identification itself, but it is sufficient that any third party is reasonably likely to be able to do so, taking into account costs and time expenditure as well as the available technology and technological developments (see also Klabunde in Ehmann/Selmayr, GDPR, Commentary² [2018], Article 4, para. 17; see also the judgment of the CJEU of 19 October 2016, C-582/14). Against this background, it must be assumed in the present case that the complainant was at least identifiable to the respondent by the publication of the forum post under the profile name “HUBERTA***”, which included her gender, age, and diagnosis. Therefore, the published forum post constitutes personal data of the complainant within the meaning of Article 4(1) GDPR. Against this background, it must be assumed in the present case that the complainant was identifiable to the respondent by the publication of the forum post under the profile name "HUBERTA***" with the indication of gender, age and diagnosis. Therefore, the published forum post constitutes personal data of the complainant within the meaning of Article 4(1) GDPR. C.2. Regarding Article 9(2)(e) GDPR According to Article 9(2)(e) GDPR, paragraph 1 (which prohibits the processing of sensitive or "special categories" data) does not apply if the processing relates to personal data that the data subject has manifestly made public. According to Kastelitz/Hötzendorfer/Tschohl, "public" in this context refers to the general public (an individually unidentifiable group of people), as is the case with data freely disseminated on the internet or via the media. The data subject must have made the data publicly available, i.e., through their own (conscious) act of will, which is the case, for example, with press releases and interviews the data subject gives to the media and must be assessed according to all the circumstances of the individual case (see Kastelitz/Hötzendorfer/Tschohl in Knyrim, DatKomm Art. 9 GDPR para. 41 [as of 7 May 2020, rdb.at], with further references to Kampert in Sydow, European General Data Protection Regulation² [2017], Art. 9 para. 32). According to Kastelitz/Hötzendorfer/Tschohl, "public" in this context refers to the general public (a group of people that cannot be individually identified), as is the case with data freely disseminated on the internet or via the media. The data subject must have made the data publicly available, i.e., through their own (conscious) act of will. This is the case, for example, with press releases and interviews the data subject gives to the media, and must be assessed according to all the circumstances of the individual case (see Kastelitz/Hötzendorfer/Tschohl in Knyrim, DatKomm Article 9, GDPR para. 41 [as of May 7, 2020, rdb.at], with further references to Kampert in Sydow, European General Data Protection Regulation² [2017], Article 9, para. 32). According to Schiff, the assumption that the data subject has "obviously" made the sensitive data public requires an unambiguous, conscious act of will that is ultimately aimed at disclosing the data to the public. The assessment of whether the requirements of point (e) are met should be based on the perspective of an objective third party. This only meets the high level of protection afforded by Article 9 if any doubt is resolved against the controller or processor (see Schiff in Ehmann/Selmayr, GDPR, Commentary 2 [2018], Art. 9, para. 45, with further references). According to Schiff, the assumption that the data subject has "obviously" made the sensitive data public requires an unambiguous, conscious act of will that is ultimately aimed at disclosing the data to the public. The assessment of whether the requirements of point e are met should be based on the perspective of an objective third party. This only meets the high level of protection afforded by Article 9 if any doubt is resolved against the controller or processor (see Schiff in Ehmann/Selmayr, GDPR, Commentary 2 [2018], Art. 9, para. 45, with further references). Shortly before the end of the 2018 GDPR, the assumption that the data subject has "obviously" made the sensitive data public requires an unambiguous, conscious act of will that is ultimately aimed at disclosing the data to the public. In the present case, the complainant, as established, created a post in the forum of the public website "DZeitung" under her pseudonym "HUBERTA" and disclosed her ADHD diagnosis. From the perspective of a reasonable, objective third party, in such a situation—that is, after posting in a publicly accessible forum—it is by no means impossible to rule out that the post will be published and thus made accessible to a larger group of people or the general public. Rather, it is to be expected that this will happen or could happen. The active posting of the entry, in which the ADHD diagnosis is disclosed, is therefore to be interpreted as an unambiguous, conscious act of will on the part of the complainant. Consequently, the prohibition of Article 9(1) GDPR does not apply in the present case. Instead, the processing relates to Article 9(2)(e) GDPR. The processing relates to personal data that the complainant has manifestly (willfully) made public. Consequently, the prohibition in Article 9(1) GDPR does not apply in this case. Rather, the processing relates to personal data that the complainant has manifestly (willfully) made public, in accordance with paragraph 2(e) of the GDPR. The complaint was therefore to be dismissed as unfounded.