Data subject versus Credit Agency – Court Ruling (Austria, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
In October 2018, a data subject requested access under Article 15 GDPR from a credit information company (the controller, later merged into another entity). The controller provided a three-page response, listing basic personal data, addresses, financial details, and references to sources. It also denied conducting automated decision-making within the meaning of Article 22 GDPR. The data subject lodged a complaint with the DPA in December 2018, claiming the access was incomplete and failed to explain how data were linked to processing purposes, recipients, or legal bases. They also argued that automated decision-making and profiling (credit scoring) were taking place, contrary to the controller’s denial. The DPA failed to decide within the statutory time limit, leading the data subject to file an inactivity complaint. The case was then transferred to the Federal Administrative Court (BVwG). The Court stayed proceedings until the CJEU issued its preliminary ruling in case C-203/22 (Dun & Bradstreet). Following the preliminary ruling, the controller argued that it provided sufficient information to the data subject, as the CJEU had concluded that a controller did not need to provide a mathematical formula (algorithm) or a detailed description of each step of the automated decision-making process. In the case that the Court concluded it needed to provide further information, the controller argued that this would involve disclosing trade secrets. The Court partly upheld the complaint. It found that the controller had violated Article 15(1)(a) GDPR by failing to provide sufficiently specific information about the purposes of processing. According to the Court, the controller had provided information on the purposes that was too vague. Specifically, statements such as “improving user-friendliness” or “marketing purposes” did not meet the requirements under Article 15, 5(1)(b) or Article 12(1) GDPR. The Court stated that the controller had not clarified what data was us
GDPR Articles Cited
In October 2018, a data subject requested access under Article 15 GDPR from a credit information company (the controller, later merged into another entity). The controller provided a three-page response, listing basic personal data, addresses, financial details, and references to sources. It also denied conducting automated decision-making within the meaning of Article 22 GDPR. The data subject lodged a complaint with the DPA in December 2018, claiming the access was incomplete and failed to explain how data were linked to processing purposes, recipients, or legal bases. They also argued that automated decision-making and profiling (credit scoring) were taking place, contrary to the controller’s denial. The DPA failed to decide within the statutory time limit, leading the data subject to file an inactivity complaint. The case was then transferred to the Federal Administrative Court (BVwG). The Court stayed proceedings until the CJEU issued its preliminary ruling in case C-203/22 (Dun & Bradstreet). Following the preliminary ruling, the controller argued that it provided sufficient information to the data subject, as the CJEU had concluded that a controller did not need to provide a mathematical formula (algorithm) or a detailed description of each step of the automated decision-making process. In the case that the Court concluded it needed to provide further information, the controller argued that this would involve disclosing trade secrets. The Court partly upheld the complaint. It found that the controller had violated Article 15(1)(a) GDPR by failing to provide sufficiently specific information about the purposes of processing. According to the Court, the controller had provided information on the purposes that was too vague. Specifically, statements such as “improving user-friendliness” or “marketing purposes” did not meet the requirements under Article 15, 5(1)(b) or Article 12(1) GDPR. The Court stated that the controller had not clarified what data was us
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Data subject versus Credit Agency in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Data subject versus Credit Agency - Austria (2025). Retrieved from cookiefines.eu
Last updated: