Austrian Data Protection Authority (Datenschutzbehörde - DSB) – Court Ruling (Austria, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court ruled that a credit agency must delete outdated debt information from a person's credit report. This decision shows that old financial data can't be used indefinitely to assess someone's creditworthiness.
What happened
A court ordered a credit reference agency to erase outdated debt entries from a person's credit report.
Who was affected
Individuals whose old debt information was being used by the credit reference agency.
What the authority found
The court decided that the credit agency must delete the entry for a debt that was never repaid but had collection efforts stopped years ago, as it was no longer relevant.
Why this matters
This ruling emphasizes the importance of keeping credit reports up-to-date and not relying on outdated information. It highlights the need for businesses to regularly review and update the data they hold to ensure compliance with privacy laws.
GDPR Articles Cited
A credit reference agency had processed payment experience data on a total of over EUR 1,300 on a data subject. Some of the debts underlying these data had already been repaid, some were still unpaid. In autumn 2019, the data subject requested erasure of all payment experience data under Article 17 GDPR. The credit reference agency refused, arguing a legitimate interest under Article 6(1)(f) GDPR. After the erasure request, the credit reference agency obtained further data on additional debts that the data subjects had failed to pay. The data subject filed a complaint with the Austrian Data Protection Authority (Datenschutzbehörde - DSB), arguing that the payment experience entries were old and therefore not suitable for assessing their creditworthiness. The data subject further claimed that the data were inaccurate. The DSB partially upheld the complaint and ordered the credit reference agency to erase the four oldest payment experience entries from their database. These entries concerned debts over EUR 66 (fully repaid in December 2014), EUR 60 (never repaid but collection ceased in August 2015), EUR 177 (fully repaid in October 2015) and EUR 84 (never repaid but collection ceased in December 2015). The credit reference filed an appeal against this decision with the federal administrative court (Bundesverwaltungsgericht - BVwG) The BVwG partially upheld the decision. It held that the credit reference agency must indeed erase the database entry on the EUR 60 debt (never repaid but collection ceased in August 2015) but may continue to process the remaining entries. It referred to existing BVwG case law, according to which the [https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:32013R0575 CRR Regulation] (which obliges banks to assess creditworthiness based on information that reaches at least back five years in the past) can be used as a tool of interpretation to assess the legitimate storage period for payment experience data. The BVwG held that this five
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Austrian Data Protection Authority (Datenschutzbehörde - DSB) in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Austrian Data Protection Authority (Datenschutzbehörde - DSB) - Austria (2021). Retrieved from cookiefines.eu
Last updated: