Court case W214 2222613-2 – Court Ruling (Austria, 2023)

A credit reference agency (the controller), acting under Austrian law (Article 152 of the Law on business activity - [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10007517 Gewerbeordnung]), created an identity and creditworthiness database. Using the collected data, the controller assigned individuals with a creditworthiness score. Apart from identifying data, the controller processed a final score and the “interim” scores, used to create the final one. The database was framed and logically prepared within the Microsoft SQL Server software. The database consisted of various tables, defined and related to each other. The design of the database aimed at maximizing the performance of the database, inter alia by avoiding redundant storage of data. One of the people whose data had been collected in the database (the data subject) exercised their rights under Article 12 GDPR and Article 15 GDPR with the controller. They requested details on the processing activities pursued and the copy of the data in a “standard technical format”. The controller answered the access request and provided the data subject with the details of processing activities, in particular, the source of the data, data recipients, the creditworthiness score. The data subject, unsatisfied with the answer, lodged a complaint with the Austrian DPA (DSB) regarding the violation of Article 14 GDPR and violation of Article 15 GDPR, indicating the controller didn’t provide them with the copy of the data. The DPA dismissed the case. The DPA’s decision was appealed by the data subject with the Federal Administrative Court (Bundesverwaltungsgericht – BVwG). In the meantime, the controller supplemented the information sent to data subject, explaining retention period, criteria of data deletion, and claiming that in previous six months there were no inquiries regarding the creditworthiness of data subject. During the proceedings before the court, the controller provided