Court case W176 2247074-1 – Court Ruling (Austria, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A court case in Austria involved a credit assessment company that refused to delete negative credit information about a person after their bankruptcy proceedings ended. The court found that the company did not violate data protection rules by keeping the data. This case highlights the balance between privacy rights and business interests in data retention.
What happened
A credit assessment company refused to delete negative credit information about a person after their bankruptcy proceedings ended.
Who was affected
The person whose credit information was retained by the credit assessment company after their bankruptcy proceedings.
What the authority found
The court found that the company did not violate data protection rules by keeping the data, as the retention was justified under Austrian law.
Why this matters
This case underscores the importance of understanding national laws that may justify data retention beyond what individuals expect. Businesses should be aware of how local laws interact with privacy rights when handling personal data.
GDPR Articles Cited
National Law Articles
The controller's business was the assessment of individuals' creditworthiness. For this purpose, the controller stored personal data in a database. One of these individuals was the data subject. In addition to the data subject's personal and address data, the controller saved a note about the data subject's bankruptcy proceedings in its database. Based on the outcome of such proceedings, the data subject's bankruptcy payments had to be concluded by 2018. In 2019, the data subject requested the controller to delete all negative entries related to his the creditworthiness. The controller rejected the request. Subsequently, data subject lodged a complaint in 2020 which, essentially, focused on the (i) rights to rectification (Article 16 GDPR), (ii) right to erasure (Article 17 GDPR), (iii) right to restriction of processing (Article 18 GDPR), and (iv) right to object to processing (Article 21 GDPR). All rights used by the data subject served the overarching goal of stopping or limiting the controller's processing. Moreover, the data subject argued that after three years of the conclusion of bankruptcy proceedings and after the related payments had ended, credit assessment companies have to delete an affected data subject's personal data. (It was unclear on what basis the data subject came up with the time span of three years.) The controller responded that the right to data protection had not been breached. In regards to (i) the rectification request, the controller reasoned that as interests of the parties would have to be balanced, a three year retention period could not simply be assumed. In regards to (ii) the right to erasure, the controller based the legitimacy of its processes on the sanctioning of the process through Austrian national law, namely, [https://www.ris.bka.gv.at/Dokument.wxe?Abfrage=Bundesnormen&Dokumentnummer=NOR40032660 § 152 GewO], which regulates the disclosure of information by credit ranking agencies, and [https://www.ris.bka.gv.at/eli/rgbl/
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W176 2247074-1 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case W176 2247074-1 - Austria (2022). Retrieved from cookiefines.eu
Last updated: