Court case Ra 2023/04/0271 – Court Ruling (Austria, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court ruled that a credit information agency did not violate data protection rules when it denied a person's request for detailed information about their creditworthiness score. The court found that the agency had deleted some data at the person's request and provided enough information about the remaining data. This case highlights the importance of clear communication from companies about how they use personal data.
What happened
A person requested access to information about how their creditworthiness score was calculated from a credit information agency.
Who was affected
The individual who requested information about their creditworthiness score from the agency.
What the authority found
The court decided that the agency did not violate data protection rules because it deleted data at the person's request and provided sufficient information about the remaining data.
Why this matters
This ruling emphasizes that companies must clearly explain how they use personal data, especially when it comes to sensitive information like credit scores. It serves as a reminder for businesses to maintain transparency in their data practices.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A data subject lodged a data protection complaint against a credit information agency (the controller) with the Austrian Data Protection Authority (DSB). The data subject requested access under Article 15 GDPR to understand how his personal data were processed, specifically regarding the calculation of his creditworthiness score, including the logic, factors, and rules applied. At that time, the controller maintained two datasets about him: one as a private individual and one as a sole trader. Following a prior deletion request by the data subject, the controller deleted certain data related to his previous debt settlement proceedings. Regarding the controller's response to the access request, the data subject argued that provided information was inadequate.He claimed that he was entitled to a full explanation of how the score was generated and how the underlying data influenced it. The DSB initially sided with the data subject, finding that the controller violated Article 15 GDPR by deleting one dataset after the access request and providing insufficient information on the remaining dataset. The DSB ordered the controller to clarify and supplement the information provided. The controller further appealed to the Federal Administrative Court (BVwG), which overturned the DSB’s decision. It found that the deletion of the dataset had been at the request of the data subject, and therefore did not constitute a violation. Regarding the second dataset, the court held that the access provided was sufficient because the creditworthiness score value of 0.01 was a manually assigned neutral baseline, not a result of an automated decision or profiling. Consequently, no automated decision-making under Article 22 GDPR occurred, and the data subject received adequate information about the sources, parameters, and general methodology for future creditworthiness assessments. The data subject then filed an extraordinary revision with the Administrative Supreme Court (VwGH) . The S
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case Ra 2023/04/0271 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case Ra 2023/04/0271 - Austria (2025). Retrieved from cookiefines.eu
Last updated: