unknown data subject (complainant before the DSB) – Court Ruling (Austria, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A person in Austria successfully challenged a credit reference agency for not deleting settled debt information. The agency refused to erase data on a small debt, but the court ruled that the data was no longer relevant since it had been settled for over nine years. This case shows that individuals have rights to have outdated information removed.
What happened
A person requested the deletion of settled debt data from a credit reference agency, which was initially denied.
Who was affected
An individual who had settled their debts and wanted outdated information removed from their credit report.
What the authority found
The Austrian Data Protection Authority ordered the credit reference agency to erase data on a debt that had been settled for over nine years.
Why this matters
This ruling reinforces the right to erase outdated personal information. Businesses should be aware of their obligations to remove irrelevant data to comply with privacy laws.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
In June 2018 the data subject sent a request under Article 17 GDPR to the credit reference agency, requesting the erasure of all processed data on previously unsettled debts. The data subject stated that all debts have been settled in 2013 in the course of fulfilling a payment plan resulting from insolvency proceedings. After the credit reference agency refused the erasure, the data subject filed a complaint with the Austrian Data Protection Authority (Datenschutzbehörde - DSB) in July 2018. The credit reference agency argued before the DSB that the data were still relevant for correctly assessing the data subject's creditworthiness under Article 5(1)(d) GDPR. Deleting the data would lead to incorrect results. In addition, the credit reference agency's interests under Article 6(1)(f) GDPR would outweigh those of the data subject. Furthermore, the credit reference agency demanded that the DSB would not deviate from Austrian case law prior to the applicability of the GDPR, according to which payment experience data could be stored for up to 7 years after the respective debt has been settled. The DSB partially upheld the complaint, ordering the credit reference agency to erase the data on a €497 debt from their database as it had been settled in February 2013. Regarding data on a €481 debt which had been settled in April 2018, the DSB rejected the complaint, as it considered this data still necessary to assess the data subject's creditworthiness and agreed with the credit reference agency that the processing can be based on Article 6(1)(f) GDPR. The credit reference agency filed an appeal against the the DSB's order to erase the data on the €497 debt. The BVwG upheld the DSB's decision. It emphasized that at the point of the decision of the BVwG, the debt had been settled for more than 9 years. Consequently, it considered the data to be to no longer relevant for assessing the data subject's creditworthiness. The BVwG also mentioned that even under case law prior to
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (3)
Other cases involving unknown data subject (complainant before the DSB) in AT
Court Ruling
Details
About this data
Cite as: Cookie Fines. unknown data subject (complainant before the DSB) - Austria (2022). Retrieved from cookiefines.eu
Last updated: