Court case W292 2247063-1/18E – Court Ruling (Austria, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court ruled that a credit rating agency stored a person's insolvency data for too long, harming their ability to get loans. The court found that the agency violated the person's privacy rights by not following proper data retention rules. This case highlights the need for businesses to regularly review how long they keep personal data.
What happened
A credit rating agency kept insolvency data longer than allowed, affecting a person's access to loans.
Who was affected
A person whose creditworthiness was negatively impacted due to the agency's data retention practices.
What the authority found
The court ruled that the agency violated the person's rights by failing to meet the necessary conditions for retaining their insolvency data.
Why this matters
This ruling emphasizes the importance of data retention policies for businesses. Companies should regularly assess how long they keep personal data to avoid legal issues.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
On the 16 December 2019, the data subject filed a complaint against the controller, a credit rating agency with the Austrian DPA (Datenschutzbehoerde – DSB). The data subject alleged that the controller stored data regarding a previous insolvency for an excessive period of time after the termination of the insolvency or restructuring proceedings. Making available data on the insolvency led to the data subject suffering damages as bank loans were made unavailable to him. In the particular circumstances of the data subject, the insolvency was caused due to guaranty commitments rather than his own actions. Any debt and guaranties were settled through the restructuring proceedings and all outstanding payments were made within a month. The controller had violated the data subject’s right to privacy under [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597 Article 1(1) of the Austrian Data Protection Act] (Datenschutzgesetz - DSG) as none of the requirements of Article 6(1)(f) GDPR were met for the publication of credit-limiting information. The data subject later added that his right to rectification under Article 16 GDPR, his right to erasure under Article 17 GDPR and his right to restriction under Article 18 GDPR had been violated. He further added that he is exercising his right to object under Article 21 GDPR due to violations of Article 6(1)(e) & (f) GDPR. The data subject detailed that the credit rating agency stored and made available "negative entries" for seven years after the insolvency procedure had been wrapped up. The DSB rejected the complaint on 16 August 2021 stating that the consideration of non-payments in the near past is necessary in order to disseminate a complete profile of credit worthiness. The erasure from the insolvency register does not mean that this data must automatically be removed by credit rating agencies. The data subject appealed the decision to the Federal Administrative Court of Austria
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W292 2247063-1/18E in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case W292 2247063-1/18E - Austria (2024). Retrieved from cookiefines.eu
Last updated: