CRIF – Court Ruling (Austria, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Austria's Federal Administrative Court ruled that CRIF, a credit reference agency, properly responded to a request for personal data access. The court found that the agency provided enough information about data sources and storage periods, which means they followed the rules. This case highlights the importance of clear communication from companies about how they handle personal data.
What happened
CRIF was asked to provide detailed personal data access information but was found to have complied with the request.
Who was affected
The complainant, who sought access to their personal data held by CRIF.
What the authority found
The court decided that CRIF met its obligations by providing sufficient information about the data it holds, thus no violation occurred.
Why this matters
This ruling emphasizes that companies can determine how they disclose personal data, as long as they provide enough information. It serves as a reminder for businesses to be transparent about their data practices.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
In 2018, the complainant requested access to their personal data from the CRIF (the ‘respondent’), a credit reference agency operating in Austria. After receiving the response of the agency, the complainant stated a violation of their right to access due to its insufficiency. According to the complainant, the agency failed to precisely name data sources, purposes and the storage period for the personal data. In this regard, the complainant has not been informed on new recipients of their personal data as well. Furthermore, the agency did not provide a full copy of the personal data processed on the complainant. Accordingly, it also breached the principles of data minimization and confidentiality, processing incorrect addresses and insufficiently encrypted data. The respondent indicated certain companies as their data sources and stated that the data is stored as long as there was an interest by the respondent. Moreover, the data made available by the agency presented all the data held on the complainant and a copy would not add any value. At the same time, providing more information would reveal business secrets which therefore cannot be made available. Consequently, there was no violation and therefore no right to appeal by the complainant. The Austrian DPA dismissed the complaint, arguing that the disclosure of data sources, recipients and as well as criteria for determining the storage period has fulfilled the access request of the complainant. The provided data was sufficient and a copy of the personal data does not include entire documents, exact copies or a facsimile of such, but it is in the choice of the controller on what and how exactly data is delivered. Moreover, Article 77 GDPR is standardized in administrative proceedings as part of the Austrian national law and therefore bound to its requirements. The Federal Administrative Court of Austria limited its judgement to the objections regarding the provision of information on the origin, storage period a
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (1)
Other cases involving CRIF in AT
Details
About this data
Cite as: Cookie Fines. CRIF - Austria (2021). Retrieved from cookiefines.eu
Last updated: