CRIF – Complaint Upheld (Austria, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
CRIF, a credit information agency, didn't provide enough information to a person who asked about their credit score. This matters because it shows that companies must be clear about how they calculate scores and what data they use. Transparency is key for people to understand and trust these services.
What happened
CRIF failed to give a complete explanation of how it calculated a person's credit score and the data used.
Who was affected
The person who requested their credit information from CRIF.
What the authority found
The Austrian data protection authority ruled that CRIF violated the person's right to information and transparency requirements under GDPR.
Why this matters
This decision emphasizes that companies must provide clear details about automated decision-making processes. Other businesses should ensure they are transparent about how they handle personal data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subject submitted a request for information pursuant to Article 15 GDPR to CRIF, a credit information agency that collects and processes personal data to assess creditworthiness. The information provided to the data subject by CRIF contained general categories of personal data and score values, but no detailed explanation of the calculation logic. The data subject lodged a complaint with the Austrian DPA (DSB), arguing that the information provided by CRIF was incomplete. The basis on which the "verification score" and the values mentioned under "personal hits" were based was not disclosed. Also copies of the data records that had been passed on by or to third parties, were not provided. The data subject further stated that the scores based on place of residence did not reflect his actual creditworthiness and were therefore unlawful. CRIF stated that the verification score serves to confirm identities and is based on several parameters. It also argued that details of the calculation would only have to be disclosed to the extent that no business secrets would be affected. The DSB upheld the complaint and stated that CRIF violated the data subject’s right to information pursuant to Article 15(1)(c), (g), and (h) GDPR and transparency obligations under Article 12(1) GDPR. CRIF failed to provide any meaningful information about the logic involved or the scope and intended effects of automated data processing (including profiling) and copies of the processed personal data. Also CRIF did not disclose a sufficient specification of the data transmitted to recipients, or any details regarding the transfer of personal data to a third country. According to CJEU case law, under Article 15(1)(h) GDPR, a controller is obliged to inform the data subject about the existence of automated decision-making, including profiling, and to explain the logic involved and the scope of processing, in order to enable the data subject to effectively exercise his rights under Article 2
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (1)
Other enforcement actions involving CRIF in AT
Details
About this data
Cite as: Cookie Fines. CRIF - Austria (2025). Retrieved from cookiefines.eu
Last updated: