CRIF GmbH – CJEU Judgment (Austria, 2024)

The controller CRIF GmbH operates a credit agency and processes personal data of the data subject in question for this purpose. The credit rating information about the data subject is not based on any payment history but only on general data such as address, age and gender. The controller purchased data on the data subject's first and last name, address and date of birth from X. X operates an address publishing and direct marketing company. The data subject did not consent to the processing of that data. The data subject cannot successfully run its business without appearing in the controller's database, because just that fact of not appearing reduces creditworthiness. Therefore the data subject did not pursue deletion but only the termination of processing by the controller of data from X. The court of first instance held, that the controller had wrongfully processed the data subject's personal data and ordered an injunction. It held, that the controller had inappropriately used data for the purpose of assessing creditworthiness, which had originally been collected for the purposes of address publishing and direct marketing by X. The controller therefore should have informed the data subject in accordance with Article 14 GDPR that it collects data from third parties. The court stated that [https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10007517&FassungVom=2025-01-25&Artikel=&Paragraf=151&Anlage=&Uebergangsrecht= § 151 Trade Regulation] (Gewerbeordnung - GewO) - privileging data collected by address publisher and direct marketing companies - does not constitute a legal basis for the (further) processing of data because it is not a legal provision within the meaning of Article 6(1) in conjunction with Article 6(4)(h) GDPR, but only a standard under commercial law . The court did not find a connection between the original purpose of the address publisher - and the new purpose of credit assessment. The court found it irrelevant, that t