CRIF – Complaint Upheld (Austria, 2025)

The data subject submitted a request for information pursuant to Article 15 GDPR to CRIF, a credit information agency that collects and processes personal data to assess creditworthiness. The information provided to the data subject by CRIF contained general categories of personal data and score values, but no detailed explanation of the calculation logic. The data subject lodged a complaint with the Austrian DPA (DSB), arguing that the information provided by CRIF was incomplete. The basis on which the "verification score" and the values mentioned under "personal hits" were based was not disclosed. Also copies of the data records that had been passed on by or to third parties, were not provided. The data subject further stated that the scores based on place of residence did not reflect his actual creditworthiness and were therefore unlawful. CRIF stated that the verification score serves to confirm identities and is based on several parameters. It also argued that details of the calculation would only have to be disclosed to the extent that no business secrets would be affected. The DSB upheld the complaint and stated that CRIF violated the data subject’s right to information pursuant to Article 15(1)(c), (g), and (h) GDPR and transparency obligations under Article 12(1) GDPR. CRIF failed to provide any meaningful information about the logic involved or the scope and intended effects of automated data processing (including profiling) and copies of the processed personal data. Also CRIF did not disclose a sufficient specification of the data transmitted to recipients, or any details regarding the transfer of personal data to a third country. According to CJEU case law, under Article 15(1)(h) GDPR, a controller is obliged to inform the data subject about the existence of automated decision-making, including profiling, and to explain the logic involved and the scope of processing, in order to enable the data subject to effectively exercise his rights under Article 2