KSV Information GmbH – Complaint Upheld (Austria, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The data subject, via a service company, attempted to conclude an energy supply contract with a distribution company for electrical energy and gas (“energy provider”). After filling out the relevant form, the data subject first received a welcome email confirming him as a new customer within one minute, and immediately thereafter a message informing him that his application had been rejected for creditworthiness reasons. The rejection of the data subject's application was based on a credit score the energy provider requested from a credit information agency ("the credit information agency"). The entire process took place without the involvement of a natural person, and neither at the time of the alleged infringement nor at the time of the complaint did the privacy policies of either the energy provider or the credit information agency provide any information about the existence of such an automated decision. The data subject subsequently submitted access requests to both controllers under Article 15 GDPR. However, both controllers provided incomplete information concerning the automated decision, including the logic involved, or the procedures and principles applied in the automated processing of the data subject’s personal data. Following the data subject’s intervention, the energy provider offered to conclude an energy supply contract with the data subject on different terms, but, in the meantime, the data subject had felt compelled to enter into a less economically favorable contract with a competitor. The data subject claimed violations of Article 13(2)(f) GDPR , Article 14(2)(g) GDPR, Article 15(1)(a) GDPRand Article 22(1) GDPR. The data subject also requested that the Austrian Data Protection Authority (DSB) order both controllers to provide a complete response under Article 15(1)(h) GDPR and to prohibit automated decision-making. Holding concerning the credit information agency: The DPA held that the credit information agency violated the data subject's rig
GDPR Articles Cited
Entities Involved
The data subject, via a service company, attempted to conclude an energy supply contract with a distribution company for electrical energy and gas (“energy provider”). After filling out the relevant form, the data subject first received a welcome email confirming him as a new customer within one minute, and immediately thereafter a message informing him that his application had been rejected for creditworthiness reasons. The rejection of the data subject's application was based on a credit score the energy provider requested from a credit information agency ("the credit information agency"). The entire process took place without the involvement of a natural person, and neither at the time of the alleged infringement nor at the time of the complaint did the privacy policies of either the energy provider or the credit information agency provide any information about the existence of such an automated decision. The data subject subsequently submitted access requests to both controllers under Article 15 GDPR. However, both controllers provided incomplete information concerning the automated decision, including the logic involved, or the procedures and principles applied in the automated processing of the data subject’s personal data. Following the data subject’s intervention, the energy provider offered to conclude an energy supply contract with the data subject on different terms, but, in the meantime, the data subject had felt compelled to enter into a less economically favorable contract with a competitor. The data subject claimed violations of Article 13(2)(f) GDPR , Article 14(2)(g) GDPR, Article 15(1)(a) GDPRand Article 22(1) GDPR. The data subject also requested that the Austrian Data Protection Authority (DSB) order both controllers to provide a complete response under Article 15(1)(h) GDPR and to prohibit automated decision-making. Holding concerning the credit information agency: The DPA held that the credit information agency violated the data subject's rig
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for KSV Information GmbH in AT
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. KSV Information GmbH - Austria (2025). Retrieved from cookiefines.eu
Last updated: