DSB (Austria) – 2025-0.789.117

10 February 2026

Mba: /* Facts */

{{DPAdecisionBOX

|Case_Number_Name=2025-0.789.117
|ECLI=ECLI:AT:DSB:2025:2025.0.789.117

|Original_Source_Name_1=RIS
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=0c680f0e-8f27-45c7-978f-508c23d5c6da&Position=1&SkipToDocumentPage=True&Abfrage=Dsk&Entscheidungsart=Undefined&Organ=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=01.01.1990&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=EinerWoche&ResultPageSize=100&Suchworte=DSGVO&Dokumentnummer=DSBT_20251010_2025_0_789_117_00
|Original_Source_Language_1=German
|Original_Source_Language__Code_1=DE
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=

|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=

|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=

|Party_Name_1=
|Party_Link_1=
|Party_Name_2=
|Party_Link_2=

|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=
|Appeal_To_Link=

|Initial_Contributor=xz
|
}}

The DPA held that a hospital did not violate [[Article 15 GDPR]] by not providing information on the medical cause of death, as the request did not concern the data subject’s own personal data and the GDPR does not apply to personal data of deceased persons.

== English Summary ==

=== Facts ===
The daughter (the data subject) of a deceased patient, who repeatedly emailed a hospital (the controller) requesting information on the medical cause of death of her father. The controller responded that she was not registered as a “trusted person”, and the deceased had designated another trusted person, who alone had access to the medical records.

The data subject filed a complaint with the Austrian Data Protection Authority (DSB), alleging a violation of her right of access under [[Article 15 GDPR]], arguing that the hospital failed to respond properly to her requests.

=== Holding ===
The DSB dismissed the complaint as unfounded. It held that the data subject’s emails did not constitute a valid access request under [[Article 15 GDPR]], as they merely sought disclosure of a specific piece of information (the medical cause of death) rather than information about the processing of personal data. Consequently, no obligation to respond under [[Article 12 GDPR#3|Article 12(3) GDPR]] arose.

The DSB further found that the requested information did not relate to the data subject’s own personal data but to that of her deceased father. Since the GDPR does not apply to personal data of deceased persons under [[Recitals GDPR|Recital 27]] and the right of access is a strictly personal and non-transferable right, the complainant could not rely on [[Article 15 GDPR]] to obtain the information. The absence of a valid access request was not a procedural defect capable of being cured, and the complaint therefore had to be rejected.

== Comment ==
”Share your comments here!”

== Further Resources ==
”Share blogs or news articles here!”

== English Machine Translation of the Decision ==
The decision below is a machine translation of the German original. Please refer to the German original for more details.

<pre>
Text

File No.: 2025-0.789.117 of October 10, 2025 (Case No.: DSB-D124.3334/25)

[Note from Editor: Names and companies, legal forms and product names, addresses (including URLs, IP and email addresses), file numbers (and the like), statistical data, etc., as well as their initials and abbreviations, may have been abbreviated and/or altered for pseudonymization purposes. Obvious spelling, grammar, and punctuation errors have been corrected.]

DECISION

RULING

The Data Protection Authority decides on the data protection complaint of Verena A*** (complainant) of September 16, 2025, against the M*** Hospital (respondent) for violation of the right to information as follows:

– The complaint is dismissed as unfounded.

Legal basis: Article 4(1), Article 12(3), Article 15, Article 51(1), Article 57(1)(f) and Article 77(1) of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119 of 4.5.2016, p. 1; Sections 18(1) and 24(1) and (5) of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; Section 13 of the General Administrative Procedure Act 1991 – AVG, Federal Law Gazette No. 51/1991 as amended. Legal basis: Article 4, paragraph 1, Article 12, paragraph 3, Article 15, Article 51, paragraph 1, Article 57, paragraph 1, letter f, and Article 77, paragraph 1, of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), Official Journal No. L 119 of 4 May 2016, Session 1; Sections 18, paragraph 1, and 24, paragraphs 1 and 5, of the Data Protection Act (DSG), Federal Law Gazette Part One, No. 165 of 1999 as amended; Section 13 of the General Administrative Procedure Act 1991 – AVG, Federal Law Gazette No. 51/1991 as amended.

GROUNDS

A. Appellant’s Submissions

In her initial submission of September 16, 2025, the appellant alleged a violation of her right to information, stating that the respondent had not provided her with any information regarding the medical cause of her deceased father’s death.

The appellant requested information about her father’s medical cause of death from the respondent by email on July 1, 2025, July 29, 2025, and August 28, 2025. She did not receive a written response. The respondent explained that she could not obtain this information because only certain “trusted persons” had such a right.

B. Subject Matter of the Appeal

Based on the appellant’s submissions, the subject matter of the appeal is whether the respondent violated the appellant’s right to information.

C. Findings of Fact

1. The appellant sent the respondent an email on July 1, 2025, July 29, 2025, and August 28, 2025, requesting information about the medical cause of her father’s death.

2. The respondent replied on July 3, 2025, that the appellant was not registered as his designated representative and therefore no medical records could be sent to her. In response to the email of July 29, 2025, the respondent stated that the appellant’s father had designated a specific representative and that only this representative had a legal right to access the medical records.

Assessment of Evidence: The findings are based on the appellant’s submissions, the attached copy of the correspondence with the respondent, and the submitted birth certificate, which shows that the deceased is the appellant’s father.

D. Legally, this leads to the following conclusions:

D.1. Regarding the Right of Access under Article 15 GDPR

The right of access under data protection law pursuant to Article 15 GDPR—unlike Articles 13 and 14 GDPR—is a request-based right of the data subject, meaning that the controller is only required to act upon a request, pursuant to Article 12(3) GDPR. According to Article 15 of the GDPR, the data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.

According to Article 15 of the GDPR, the data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data. In response to a request for information under Article 15 of the GDPR, the controller is not obligated to answer a list of questions, but only to provide the information listed in Article 15 of the GDPR regarding the processing of the data subject’s personal data, insofar as the controller processes the requesting party’s personal data (such as categories of personal data, purposes, and legal bases, etc.).

To assess whether such a request exists within the meaning of Article 15 of the GDPR, the request must be examined for its content, applying the same standard that applies to unilateral declarations of intent under private law. Accordingly, the wording and understanding of the declaration must be considered from an objective perspective, namely as the recipient could objectively understand it based on its wording and purpose (see BVwG 3.5.2018, W256 2190554-1, regarding requests for information under Section 26 of the Data Protection Act 2000 and concerning interpretation with reference to the case law of the Supreme Court, e.g., Supreme Court 15.9.1999, 9 ObA 148/99a). To assess whether such a request exists within the meaning of Article 15 GDPR, the request must be examined for its content, applying the same standard that also applies to unilateral declarations of intent under private law. Accordingly, the wording and understanding of the declaration must be considered from an objective perspective, namely as the recipient could objectively understand it based on its wording and purpose (see Federal Administrative Court [BVwG] 3 May 2018, W256 2190554-1, regarding requests for information under Section 26 of the Data Protection Act 2000 [DSG 2000] and concerning interpretation with reference to the case law of the Supreme Court [OGH], e.g., OGH 15 September 1999, 9 ObA 148/99a).

It is not necessary for the requesting party to refer to the specific legal provision. However, for the declaration to qualify as a formal request, a certain minimum level of content is required, indicating that it concerns the exercise of data protection rights. This minimum level of content must make it clear to the controller that a corresponding obligation to respond under the GDPR is triggered and that it is not merely a query.

D.2. On the matter

The wording used in the letters of July 1, 2025, July 29, 2025, and August 28, 2025, cannot—as is evident from the findings—be understood as a data protection-related request for information based on their objective meaning. In particular, the wording “I therefore politely request that you inform me of the medical cause of death,” “I request […] notification of the medical cause of my father’s death,” and “My request does not concern the complete medical history, but solely the notification of the medical cause of death” constitutes a request for information about her deceased father, but not the exercise of a data subject right within the meaning of Article 15 GDPR. The wording used in the letters of July 1, 2025, July 29, 2025, and August 28, 2025, cannot—as is evident from the findings—be understood as a data protection-related request for information based on their objective meaning. In particular, the phrases “I therefore respectfully request that you inform me of the medical cause of death,” “I request […] notification of the medical cause of my father’s death,” and “My request does not concern the complete medical history, but solely the notification of the medical cause of death” constitute a request for information about her deceased father, but not the exercise of a data subject right within the meaning of Article 15 of the GDPR.

I request […] notification of the medical cause of death of my father. A request for access pursuant to Article 15 GDPR cannot therefore be inferred from the wording of the emails sent on July 1, 2025, July 29, 2025, and August 28, 2025 – based on their objective meaning.

In the present case, with regard to the letters of July 1, 2025, July 29, 2025, and August 28, 2025, the complainant has no right to access the data from the respondent due to the lack of a formal request.

Consequently, in the absence of a formal request, the complainant has no right to access the data from the respondent in the case at hand. The absence of a prerequisite for success, which leads to the substantive resolution of an application through its rejection, does not constitute a “defect in a written submission” within the meaning of Section 13 Paragraph 3 of the General Administrative Procedure Act (AVG). Defects that impair the prospects of success of an application, i.e., those that preclude a substantively positive resolution of the application, are therefore not remediable within the meaning of Section 13 Paragraph 3 of the AVG. The absence of a request for information to the respondent constitutes an irremediable defect that leads to the dismissal of the application (see Austrian Administrative Court [VwGH] decisions of December 18, 2017, Ro 2016/15/0042 and of April 24, 2017, Ra 2016/05/0040). The absence of a prerequisite for success, which leads to the substantive resolution of an application by its dismissal, does not constitute a “defect in a written submission” within the meaning of Section 13, Paragraph 3, of the Austrian General Administrative Procedure Act (AVG). Therefore, defects that impair the prospects of success of an application, i.e., those that preclude a substantively positive resolution of the application, are irremediable within the meaning of Section 13, Paragraph 3, of the AVG. The lack of a request for information to the respondent constitutes a defect that cannot be remedied and leads to the rejection of the application (see VwGH of 18 December 2017, Ro 2016/15/0042 and of 24 April 2017, Ra 2016/05/0040).

Since the requirements for a complaint to the data protection authority pursuant to Article 77 GDPR or Section 24(1) of the German Federal Data Protection Act (BDSG) were not met with regard to the letters in question, the complaint was therefore dismissed.

Furthermore, it should be noted that, from a data protection perspective, the information concerning the father’s medical cause of death does not constitute personal data relating to the complainant.

Furthermore, it should be noted that the information regarding the father’s medical cause of death does not constitute personal data relating to the complainant from a data protection perspective. Article 4(1) of the GDPR defines personal data as “any information relating to an identified or identifiable natural person (hereinafter referred to as ‘data subject’).” According to this provision, an “identifiable” natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The existence of personal data requires a material element: Information about a data subject must be provided. This criterion is broad and encompasses all types of information that can be made about a person, without any substantive limitations. However, statements that convey no information whatsoever cannot constitute data due to the lack of material information (see Austrian Administrative Court [VwGH] 28.03.2023, Ro 2019/04/0232).

The existence of personal data requires a material element: Information about a data subject must be provided. This criterion is broad and encompasses all types of information that can be made about a person without any substantive limitations. However, statements that convey no information whatsoever cannot constitute data due to the lack of material information (see Austrian Administrative Court [VwGH] 28.03.2023, Ro 2019/04/0232). The purpose of the GDPR is to protect personal data during its processing. The aim is to ensure that data protection rights are not jeopardized and that individuals do not lose control over their data. An undesirable outcome would be the application of data protection provisions in situations not intended by the original legislator and for which the law was not created, such as the right of access. The Article 29 Working Party’s guidelines on the concept of personal data state, among other things, that the applicable scope of personal data protection should not be broadly expanded (and, of course, should not be unlawfully restricted). Consequently, the complainant cannot rely on Article 15 GDPR to obtain information about a third party – in this case, the medical cause of death of her deceased father. The purpose of the GDPR is to protect personal data during its processing. The aim is to ensure that data protection rights are not jeopardized and that individuals do not lose control over their data. An undesirable outcome would be the application of data protection provisions in situations not intended by the original legislator and for which the law was not created, such as the right of access. The guidelines in Articles 29-, G, r, u, p, p, and e regarding the concept of personal data state, among other things, that the applicable scope of personal data protection should not be broadly expanded (and, of course, should not be unlawfully restricted). Consequently, the complainant cannot rely on Article 15 of the GDPR to obtain information about a third party—in this case, the medical cause of death of her deceased father.

In light of the aforementioned explanation of the concept of personal data, it is clear that the complainant does not wish to obtain information about personal data concerning her in order to maintain control over her own data or to prevent misuse.

Furthermore, according to Recital 27 of the GDPR, it does not apply to the personal data of deceased persons. Therefore, the daughter’s assertion of the right of access under Article 15 on behalf of her father is also not possible. The fundamental right to data protection, or the right of access, is a highly personal right that can generally only be exercised by the data subject themselves (Thiele/Wagner, Commentary on the Data Protection Act (DSG), § 1 para. 34; Jahnel, Commentary on the General Data Protection Regulation, Art. 15 GDPR, para. 5 et seq.). Since highly personal rights cannot be inherited, the daughter cannot exercise this right (Werkusch-Christ in Kletečka/Schauer, ABGB-ON1.08 § 531 para. 3; see also the decision of the Federal Administrative Court of 26 January 2023, file number W252 2248013-1). Furthermore, according to Recital 27 of the GDPR, it does not apply to the personal data of deceased persons. Therefore, the daughter cannot assert the right of access under Article 15 on behalf of her father. The fundamental right to data protection, or the right of access, is a highly personal right that can generally only be exercised by the data subject themselves (Thiele/Wagner, Commentary on the Data Protection Act (DSG), Section 1, para. 34; Jahnel, Commentary on the General Data Protection Regulation, Article 15, GDPR, paras. 5 et seq.). Since highly personal rights cannot be inherited, the daughter cannot exercise this right (Werkusch-Christ in Kletečka/Schauer, ABGB-ON1.08 Section 531, para. 3; see also the decision of the Federal Administrative Court of January 26, 2023, file number W252 2248013-1).

The decision was therefore rendered accordingly.
</pre>

SN – I NO 14/23

VG Düsseldorf – 29 K 9469/23