Datenschutzbehörde (Austrian Data Protection Authority) – Court Ruling (Austria, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Austrian Data Protection Authority ruled that a credit reference agency could keep data on payment defaults for up to five years after debts are cleared. The agency was also ordered to delete outdated address information. This decision helps clarify how long financial data can be stored, which is important for businesses handling credit information.
What happened
A credit reference agency was allowed to store data on payment defaults for up to five years after debts were cleared.
Who was affected
Individuals whose cleared debts were still recorded by the credit reference agency.
What the authority found
The court upheld that storing data on payment defaults for up to five years is lawful, but outdated address information must be deleted.
Why this matters
This ruling clarifies that credit agencies can retain financial data for a set period, ensuring businesses know how long they can keep such records. It also highlights the importance of keeping personal data updated and accurate.
GDPR Articles Cited
In April 2019, the data subject sent an request for erasure of data on several payment defaults and some address data to the credit reference agency (CRA) CRIF GmbH because the debts had all been cleared. The CRA refused the erasure, stating that the data was still relevant for the purposes of assessing the data subject's creditworthiness. In June 2019, the data subject lodged a complaint with the Austrian DPA (Datenschutzbehörde - DSB), stating that all debts still stored in the CRA's data base have been cleared and that several debts only concerned insignificant amounts. The DSB rejected the complaint regarding the data on payment defaults but ordered the CRA to delete data on an old address of the data subject. The DSB held that the data on the payment defaults concern a total amount of more than EUR 3,000 and that none of the debts has been cleared more than 5 years ago. Under case law by the BVwG (see BVwG - W211 2225136-1), CRAs are allowed to store data on payment defaults or insolvencies for a five-year period after the clearance of the debt. The data subject filed an appeal against this decision by the DSB. In this appeal he/she also argued (for the first) time, that the CRA had also violated Article 14 GDPR because the data subject had never been informed about the processing of his/her data. Hence, the data must also be deleted under Article 17(1)(d) GDPR. Was the CRA allowed to still store data on payment defaults after the debts have been cleared? If so, for how long? Does the failure to inform the data subject under Article 14 GDPR result in the general unlawfulness of the processing and the obligation for the controller to delete the data under Article 17(1)(d) GDPR? The BVwG rejected the appeal and fully upheld the decision by the DSB. On the issue of storage duration of the data on payment defaults, the BVwG agreed with the DSB's reasoning and held that none of the data must be erased at the time of the decision. All the data stored could still
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Datenschutzbehörde (Austrian Data Protection Authority) in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Datenschutzbehörde (Austrian Data Protection Authority) - Austria (2020). Retrieved from cookiefines.eu
Last updated: