The Case at Stake: In 2026, the Austrian Constitutional Court (Verfassungsgerichtshof – VfGH) dealt with applications challenging the statutory framework for Austria's electronic vaccination pass (eImpfpass) and the central vaccination register under the Health Telematics Act 2012 (Gesundheitstelematikgesetz 2012 – GTelG 2012). The central vaccination register is the core element of the eImpfpass and serves the electronic documentation of vaccinations and vaccination-relevant information. Since September 2024, physicians and other relevant vaccination providers have been required to enter vaccinations and certain vaccination-relevant information, including relevant pre-existing conditions, special vaccination indications and medically indicated antibody determinations, into the register.
The applicants, including affected individuals and physicians, argued that this mandatory collection and storage of health data was disproportionate. Their central concern was that citizens cannot opt out of the eImpfpass in the same way as they may opt out of the Austrian electronic health record system (ELGA). They also criticised the lack of an individual right to have data deleted early. According to the applicants, the system therefore interfered with the fundamental right to data protection and with informational self-determination in a particularly sensitive area of healthcare.
The legal background is important. The eImpfpass uses parts of the ELGA infrastructure but is not governed by the same participation model as ELGA. Austria's public information portals make this point explicit: the eImpfpass is accessible through the ELGA portal, but it is legally separate from ELGA and there is no general opt-out. The policy rationale is that a complete vaccination database is seen as necessary to calculate reliable vaccination rates, identify vaccination gaps, support outbreak and crisis management and simplify the administration of public vaccination programmes.
The Decision: By decision of 28 April 2026 (G 178/2024, G 13/2025), the Constitutional Court did not annul the challenged provisions. Instead, it rejected the individual applications on procedural grounds. The Court considered that the applicants had another reasonable legal route available to pursue their data protection concerns, in particular through proceedings before the Austrian Data Protection Authority (Datenschutzbehörde – DSB). In Austrian constitutional procedure, an individual application to the Constitutional Court is only admissible where the challenged law directly affects the applicant and no other reasonable legal remedy is available.
This means that the Constitutional Court did not decide the substantive constitutional question of whether the eImpfpass, the absence of an opt-out and the retention of vaccination data are proportionate. The decision is therefore not a full constitutional endorsement of the current register design. It is, however, an important clarification of the procedural route: data protection objections to the operation of the eImpfpass must first be raised through the specialised data protection remedy system before they can potentially reach the Constitutional Court through an individual case.
This distinction matters for digital health infrastructure. Large-scale health registers often raise two different questions. The first is whether the legislature may create a centralised public health database at all. The second is how individuals can exercise their rights when they believe that a specific processing activity, access event or retention period breaches data protection law. The VfGH decision places the second question firmly in the hands of the DSB in the first instance.
For healthcare providers, the decision does not change the operational duties under the GTelG 2012 and the eHealth Regulation 2025 (eHealth-Verordnung 2025 – eHealthV 2025). Vaccination providers must continue to comply with statutory documentation duties in the central vaccination register where the relevant legal requirements apply. The storage of vaccination entries in the register can also fulfil professional documentation duties, although additional professional documentation may still be required outside the register where applicable.
For operators of digital health systems and public health infrastructure, the decision underlines the importance of governance, transparency and auditability. Individuals must be able to access information about their vaccination data and log data, either electronically via the ELGA access portal or in writing through the ELGA Ombudsstelle. Clear information, role allocation among controllers, access controls and documented security measures are central to the legitimacy of a compulsory health data register.
The case also provides a useful national counterpoint to the European Health Data Space (EHDS). Both the eImpfpass and the EHDS show the same structural challenge: public health and research objectives increasingly depend on complete, standardised and interoperable health data, while fundamental rights require strict controls over access, use, transparency and redress. Austria's eImpfpass dispute shows that legal remedies and governance design are not secondary details. They are part of the infrastructure itself.
This is important for healthcare providers, digital health operators and life sciences stakeholders:
- The VfGH decision is procedural, not a substantive approval of the eImpfpass. The Court rejected the applications because another legal route was available, especially before the DSB. Future cases may still test the proportionality of specific processing operations or access situations.
- The eImpfpass remains mandatory where the statutory entry obligations apply. Providers involved in vaccinations should continue to follow the GTelG 2012 and eHealthV 2025 requirements on what must be recorded, when it must be recorded and which data categories are included.
- No general opt-out exists. This makes transparency, access to data and access logs, controller role allocation and data security measures particularly important. Public health infrastructure must be explainable to citizens and defensible before data protection authorities.
- The decision confirms the practical importance of the DSB as the first forum for health data disputes. Digital health operators should prepare for requests, complaints and investigations under data protection law, rather than assuming that constitutional proceedings are the primary route.
- For life sciences companies, the case is relevant beyond vaccination. It shows how Austria approaches centralised health data infrastructure, compulsory documentation, public health objectives and individual data protection remedies – themes that will become more prominent as the EHDS is implemented.