Austrian Data Protection Authority – Court Ruling (Austria, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court ruled that a credit ranking agency could keep processing a person's data even after they settled their debts. This matters because it shows that companies can prioritize their interests over individuals' requests to erase their data. Small business owners should be aware that data retention rules can sometimes favor the company’s needs.
What happened
A court upheld a credit ranking agency's decision to continue processing a person's data after they settled their debts.
Who was affected
The person whose data was processed, who had previously settled their debts and requested erasure of their data.
What the authority found
The court found that the agency's processing of the person's data was necessary for assessing creditworthiness, thus lawful under GDPR.
Why this matters
This ruling highlights that companies may have valid reasons to retain data even after a person requests its deletion. Website operators should evaluate their data retention policies and ensure they understand the legal grounds for keeping user data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
In 2010, debt settlement proceedings were issued against the data subject. The data subject settled the payments of their debts in March 2018. After settling the debts, the civil court ordered to make the personal data of the data subject unavailable to the public in the public insolvency register. The controller, a credit ranking agency, continued to process and store personal data of the data subject that related to his debt settlement procedure that the controller obtained from the public insolvency register. The purpose of the procesing was to assess the creditworthiness of the data subject and his company. The data subject was the company's sole shareholder. The data subject requested the erasure of his personal data on 4 May 2018, after fulfilling his debt payment plan. The controller did not reply. On 24 October 2018, the data subject lodged a complaint at the Austrian DPA against the controller for the infringement of the right to erasure under Article 17 GDPR. The controller informed the DPA by letter the same day that it would not comply with this request. The DPA dismissed the data protection complaint. The decision does not give detail on why the complaint was dismissed. The data subject appealed this decision at the Federal Administrative Court (Bundesverwaltungsgericht, BVwG). The court dismissed the appeal. The court found that the controller’s processing the personal data in question was necessary, as the purpose of the processing was for making a forecast about the future payment behaviour of the data subject. The court found that the interests of the controller and its third parties outweighed the interests of the data subject The court concluded that the processing of data on historical insolvencies and payment defaults of the data subject was necessary and lawful and that the objections raised by the data subject could not justify his request for erasure. The data subject appealed to the decision before the Austrian Supreme Administrative Co
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (1)
Other cases involving Austrian Data Protection Authority in AT
Details
About this data
Cite as: Cookie Fines. Austrian Data Protection Authority - Austria (2024). Retrieved from cookiefines.eu
Last updated: