Unnamed data subject – Court Ruling (Austria, 2026)

The data subject requested access from a credit information agency (the controller). On 23 February 2019, the controller provided information under Article 15 GDPR, including personal data and three credit scores (Risk Indicator, Economic Index, and KKE score). The data subject argued that the response was incomplete, particularly regarding the origin of the data and the logic behind the credit scoring. The controller maintained that it had provided sufficient information, including data sources. It also argued that further details on scoring logic were protected as trade secrets and that the scores had not been disclosed to third parties. The DPA partially upheld the complaint. It found that the access response was incomplete and ordered the controller to provide more detailed information on the logic of the credit scoring. The controller appealed and assured that the scores had neither been shared with third parties nor had any effect on the data subject. The data subject could not substantiate any actual impact of the scores. First, the court assessed the scope of Article 15(1)(h) GDPR. It clarified that the obligation to provide meaningful information about the logic of processing applies at least where Article 22 GDPR is triggered. Second, the court relied on case law of the Court of Justice of the European Union to determine that Article 22 GDPR requires three elements: a decision, based solely on automated processing, that produces legal effects or similarly significant effects for the data subject. Third, the court held that while the credit scoring constituted automated processing and could qualify as a “decision”, it did not meet the third requirement. The controller had not disclosed the scores to third parties, and the scores had no impact on the data subject. Therefore, the court concluded that Article 22 GDPR did not apply. As a result, the additional transparency obligations under Article 15(1)(h) GDPR were not triggered. Finally, the court held tha