Court case W292 2248672-1 – Court Ruling (Austria, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The data subject wanted to enter into an energy supply contract with an energy supplier in 2020, but received a letter back on 1 October 2020 from the energy supplier that this was not possible due to an insufficient credit rating. This credit check was done by a credit reference agency (the controller). On 7 October 2020, the data subject submitted an access request under Article 15 GDPR to the controller. On 8 October 2020, the controller provided the data subject with the personal data it had of the data subject, including their name and address. It also stated that the energy supplier had made a credit inquiry to the controller about the data subject on 1 October 2020. On 7 January 2021, the data subject requested the controller to properly comply with its obligation to provide access. On 13 January 2021, the controller replied that there was no right to access under Article 15(1)(h) GDPR with regard to the calculation of credit scores and the parameters and methods that were used to calculate a risk value as those were seen as business secrets of the controller. On 17 March 2021, the data subject lodged a complaint against the controller at the Austrian DPA (“Datenschutzbehörde -DSB“). The controller argued in the proceeding that there was no automated decision-making within the meaning of Article 22 GDPR and that there was therefore no right of access under Article 15 GDPR. It furthermore argued that it calculated the credit score on the basis of the parameters “qualified payment defaults (debt collection entries, insolvency, etc.) age, and place of residence”. Regarding the data subject, the controller sent a “medium” credit score to the energy supplier. No negative payment history data was available in the controller’s system to determine the creditworthiness score of the data subject. The controller stated it collected data from publicly available sources, data from address publishers and information on payment experience provided by corporate customers an
GDPR Articles Cited
The data subject wanted to enter into an energy supply contract with an energy supplier in 2020, but received a letter back on 1 October 2020 from the energy supplier that this was not possible due to an insufficient credit rating. This credit check was done by a credit reference agency (the controller). On 7 October 2020, the data subject submitted an access request under Article 15 GDPR to the controller. On 8 October 2020, the controller provided the data subject with the personal data it had of the data subject, including their name and address. It also stated that the energy supplier had made a credit inquiry to the controller about the data subject on 1 October 2020. On 7 January 2021, the data subject requested the controller to properly comply with its obligation to provide access. On 13 January 2021, the controller replied that there was no right to access under Article 15(1)(h) GDPR with regard to the calculation of credit scores and the parameters and methods that were used to calculate a risk value as those were seen as business secrets of the controller. On 17 March 2021, the data subject lodged a complaint against the controller at the Austrian DPA (“Datenschutzbehörde -DSB“). The controller argued in the proceeding that there was no automated decision-making within the meaning of Article 22 GDPR and that there was therefore no right of access under Article 15 GDPR. It furthermore argued that it calculated the credit score on the basis of the parameters “qualified payment defaults (debt collection entries, insolvency, etc.) age, and place of residence”. Regarding the data subject, the controller sent a “medium” credit score to the energy supplier. No negative payment history data was available in the controller’s system to determine the creditworthiness score of the data subject. The controller stated it collected data from publicly available sources, data from address publishers and information on payment experience provided by corporate customers an
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W292 2248672-1 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case W292 2248672-1 - Austria (2024). Retrieved from cookiefines.eu
Last updated: