Court case W252 2246581-1/6E – Court Ruling (Austria, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court ruled that a credit ranking agency must provide more information about how it assesses people's creditworthiness. The agency had claimed it didn't need to share its methods, but the court disagreed. This decision highlights the importance of transparency in how companies use personal data.
What happened
A credit ranking agency was ordered to provide information about the logic behind its automated credit assessments.
Who was affected
Individuals whose creditworthiness was evaluated by the agency's automated decision-making process.
What the authority found
The court decided that the agency must explain the logic behind its credit assessments, as required by GDPR.
Why this matters
This ruling emphasizes that companies must be transparent about their data processing methods. Other businesses should ensure they clearly communicate how they use personal data, especially in automated decisions.
GDPR Articles Cited
The data subject filed a complaint against the controller - a credit ranking agency. In the original procedure before the Austrian DPA, the data subject claimed that their rights resulting from Article 15(1)(h) GDPR were infringed as the controller did not sufficiently inform them about the logic and algorithm used for the processing of their personal data in the context of an automated decision about the data subject's creditworthiness. The controller replied that the processing at issue was not 'automated decision-making' pursuant to Article 22 GDPR, but only 'light profiling' under Article 4(4) GDPR. Therefore, the controller claimed that Article 15(1)(h) GDPR did not apply in the first place. Moreover, the controller argued that the algorithm regulating profiling could not be disclosed, being part of business secrets of the company. The Austrian DPA upheld the complaint and issued a decision against the controller, ordering the latter to provide access to the information requested by the data subject. The controller appealed the decision with the Austrian Federal Administrative Court (Bundesverwaltungsgericht - BVwG), stating that they provided the data subject with sufficient information. The court upheld the controller's appeal. First, the court noted that, according to Article 15(1)(h) GDPR, in case of automated decision-making the controller shall provide the data subject with an explanation about the logic behind the processing. However, this 'logic' shall not be understood as the algorithm or mathematical formula underlying the automated decision. Rather, the controller shall provide the following pieces of information: a) categories of personal data and why they are relevant to the creation of the profile; b) how the profile is created by automated means, with specific regard to the statistical method used; c) why the profile is relevant for the decision; d) how the profile is actually used in the context of the decision. In the case at issue, the c
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W252 2246581-1/6E in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case W252 2246581-1/6E - Austria (2023). Retrieved from cookiefines.eu
Last updated: