Court case W292 2301229-1 – Court Ruling (Austria, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A court ruled that a credit reporting agency failed to delete outdated payment history data, affecting a person's credit score. This is significant because it shows that individuals have the right to have their data erased when it is no longer relevant.
What happened
The agency did not delete outdated payment history data, which led to an incorrect credit score for the individual.
Who was affected
The individual whose credit score was negatively impacted by the outdated data was affected.
What the authority found
The court found that the agency violated the individual's right to erasure under data protection rules by not deleting the irrelevant data.
Why this matters
This ruling reinforces the right of individuals to have their personal data erased when it is no longer necessary. Companies should regularly review their data retention practices to comply with this right.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
In 2024, a data subject filed a complaint to the DPA regarding the right to erasure of stored payment history data. The controller, a credit reporting agency, updated the data subject’s credit score following an out of court proceedings in 2019. The data subject’s request for a loan was rejected on the basis that banks received the information “Score value 0 - no calculation possible” when requesting information about the data subject. This value was an error as a result of the controller not being able to correctly assign a numerical value to the out of court proceedings. The entries analysed by the DPA and Court were the ones on the completion of out of court settlement and “Score value 0: No calculation possible”. In its decision, the DPA applied the reasoning of CJEU case law (the SCHUFA case) to conclude that the processing of payment history also constitutes a serious interference with the fundamental right to privacy and data protection ([https://www.europarl.europa.eu/charter/pdf/text_en.pdf Articles 7 and 8 CFREU]). The DPA then applied national law on time limits in processing of data related to insolvency procedures, arguing that the controller should have deleted the data relating to the out of court settlement. By not deleting this information the controller was violating the data subject's right to erasure under Article 17 GDPR. The controller disputed the DPA's reasoning and brought an appeal to the Federal Administrative Court. The controller argued that the SCHUFA case did not apply, because it related to publicly accessible data. It also claimed that the data processing was not a serious interference with the data subject's fundamental rights. The Court upheld the decision on the DPA regarding automated processing, but dismissed the reasoning on processing of payment history. The Court upheld the arguments of the controller, and stated that the facts of the current case differ in essential elements to SCHUFA. The Court conclud
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W292 2301229-1 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case W292 2301229-1 - Austria (2025). Retrieved from cookiefines.eu
Last updated: