KSV Information GmbH – Complaint Upheld (Austria, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Austrian Data Protection Authority upheld a complaint against KSV Information GmbH for failing to provide clear information about automated decision-making. A person was denied a service based on a credit score without proper explanation. This case stresses the need for transparency in automated processes.
What happened
KSV Information GmbH did not inform a person about the automated decision-making that led to the rejection of their application for energy services.
Who was affected
The individual who applied for an energy supply contract was affected by the automated decision.
What the authority found
The authority found that KSV Information GmbH violated GDPR rules by not providing adequate information about the automated decision process.
Why this matters
This ruling underscores the importance of transparency in automated decision-making. Companies using such systems must ensure they inform users about how their data is processed and the logic behind decisions.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Entities Involved
The data subject, via a service company, attempted to conclude an energy supply contract with a distribution company for electrical energy and gas (“energy provider”). After filling out the relevant form, the data subject first received a welcome email confirming him as a new customer within one minute, and immediately thereafter a message informing him that his application had been rejected for creditworthiness reasons. The rejection of the data subject's application was based on a credit score the energy provider requested from a credit information agency ("the credit information agency"). The entire process took place without the involvement of a natural person, and neither at the time of the alleged infringement nor at the time of the complaint did the privacy policies of either the energy provider or the credit information agency provide any information about the existence of such an automated decision. The data subject subsequently submitted access requests to both controllers under Article 15 GDPR. However, both controllers provided incomplete information concerning the automated decision, including the logic involved, or the procedures and principles applied in the automated processing of the data subject’s personal data. Following the data subject’s intervention, the energy provider offered to conclude an energy supply contract with the data subject on different terms, but, in the meantime, the data subject had felt compelled to enter into a less economically favorable contract with a competitor. The data subject claimed violations of Article 13(2)(f) GDPR , Article 14(2)(g) GDPR, Article 15(1)(a) GDPRand Article 22(1) GDPR. The data subject also requested that the Austrian Data Protection Authority (DSB) order both controllers to provide a complete response under Article 15(1)(h) GDPR and to prohibit automated decision-making. Holding concerning the credit information agency: The DPA held that the credit information agency violated the data subject's rig
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for KSV Information GmbH in AT
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. KSV Information GmbH - Austria (2025). Retrieved from cookiefines.eu
Last updated: