BVwG - W292 2301229-1
From GDPRhub
| BVwG - W292 2301229-1 | |
|---|---|
 | |
| Court: | BVwG (Austria) |
| Jurisdiction: | Austria |
| Relevant Law: | Article 4(4) GDPR Article 5(1)(a) GDPR Article 6(1)(f) GDPR Article 15(1)(h) GDPR Article 17 GDPR Article 22(1) GDPR Article 22(2) GDPR Article 7 CFREU Article 8 CFREU |
| Decided: | 28.03.2025 |
| Published: | 27.05.2025 |
| Parties: | |
| National Case Number/Name: | W292 2301229-1 |
| European Case Law Identifier: | |
| Appeal from: | |
| Appeal to: | Unknown |
| Original Language(s): | German |
| Original Source: | RIS (in German) |
| Initial Contributor: | ap |
A court concluded that credit scoring is itself a decision, and that the rules regarding automated decision making apply to credit scoring if done automatically. Because of this the controller (a credit agency) was considered to be processing data in breach of the GDPR and ordered to delete the data subjects data.
English Summary
Facts
In 2024, a data subject filed a complaint to the DPA regarding the right to erasure of stored payment history data. The controller, a credit reporting agency, updated the data subject’s credit score following an out of court proceedings in 2019. The data subject’s request for a loan was rejected on the basis that banks received the information “Score value 0 - no calculation possible” when requesting information about the data subject. This value was an error as a result of the controller not being able to correctly assign a numerical value to the out of court proceedings. The entries analysed by the DPA and Court were the ones on the completion of out of court settlement and “Score value 0: No calculation possible”.
In its decision, the DPA applied the reasoning of CJEU case law (the SCHUFA case) to conclude that the processing of payment history also constitutes a serious interference with the fundamental right to privacy and data protection (Articles 7 and 8 CFREU). The DPA then applied national law on time limits in processing of data related to insolvency procedures, arguing that the controller should have deleted the data relating to the out of court settlement. By not deleting this information the controller was violating the data subject's right to erasure under Article 17 GDPR.
The controller disputed the DPA's reasoning and brought an appeal to the Federal Administrative Court. The controller argued that the SCHUFA case did not apply, because it related to publicly accessible data. It also claimed that the data processing was not a serious interference with the data subject's fundamental rights.
Holding
The Court upheld the decision on the DPA regarding automated processing, but dismissed the reasoning on processing of payment history.
The Court upheld the arguments of the controller, and stated that the facts of the current case differ in essential elements to SCHUFA. The Court concluded that the processing was valid under Article 6(1)(f) GDPR because the controller makes this information available to a limited number of lending insurance companies. The Court also considered that the effect of this processing was not detrimental to the data subject, because they were able to conclude two leasing agreements following the out of court proceedings.
In its analysis of the zero-score value, the Court considered that it played a decisive role in the decision to grant a credit. This is supported by the fact that the bank refused the loan specifically because of the error message. Therefore, this would be considered a legal or similar effect in accordance with Article 22(1) GDPR. The Court also stated that the processing carried out by the controller falls under the scope of profiling based on SCHUFA and Article 4(4) GDPR. Furthermore, there was a risk of circumventing Article 22 and data subject rights if it were to be interpreted narrowly, and only apply to the third party making the decision. An example is right to request under Article 15(1)(h) GDPR because the third party making that decision would not be able to explain how the credit agency reached that conclusion.
Finally, the Court analysed whether the exceptions allowing processing (Article 22(2) GDPR) apply. In this case, none of the exceptions apply. In addition, the Court stated that the controller had not processed the data lawfully, and did not act in good faith. It is important to note that according to the Court, the calculation of a credit score by a credit reporting agency is still allowed. However, it must have a supportive and not decisive role in determining creditworthiness as seen in SCHUFA.
The Court ordered the controller to delete the error message entry in accordance with Article 17(1) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Decision Date
March 28, 2025
Standard
B-VG Art. 133 Para. 4
DSG §1
DSG §24
GDPR Art. 16
GDPR Art. 17
GDPR Art. 18
GDPR Art. 21
GDPR Art. 22 Para. 1
GDPR Art. 4
GDPR Art. 5
GDPR Art. 6 Para. 1 litf
GewO 1994 §152
IO §256
B-VG Art. 133 now B-VG Art. 133 valid from January 1, 2019 to May 24, 2018, last amended by Federal Law Gazette I No. 138/2017 B-VG Art. 133 valid from January 1, 2019, last amended by Federal Law Gazette I No. 22/2018 B-VG Art. 133 valid from 25.05.2018 to 31.12.2018 last amended by BGBl. I No. 22/2018 B-VG Art. 133 valid from 01.08.2014 to 24.05.2018 last amended by BGBl. I No. 164/2013 B-VG Art. 133 valid from 01.01.2014 to 31.07.2014 last amended by BGBl. I No. 51/2012 B-VG Art. 133 valid from 01.01.2004 to 31.12.2013 last amended by BGBl. I No. 100/2003 B-VG Art. 133 valid from 01.01.1975 to 31.12.2003 last amended by BGBl. No. 444/1974 B-VG Art. 133 valid from December 25, 1946 to December 31, 1974, last amended by BGBl. No. 211/1946 B-VG Art. 133 valid from December 19, 1945 to December 24, 1946, last amended by StGBl. No. 4/1945 B-VG Art. 133 valid from January 3, 1930 to June 30, 1934
DSG Art. 1 § 1 current DSG Art. 1 § 1 valid from January 1, 2014, last amended by Federal Law Gazette I No. 51/2012 DSG Art. 1 § 1 valid from January 1, 2000 to December 31, 2013
DSG Art. 2 § 24 current DSG Art. 2 § 24 valid from July 15, 2024, last amended by Federal Law Gazette I No. 70/2024 DSG Art. 2 § 24 valid from May 25, 2018 to July 14, 2024, last amended by Federal Law Gazette I No. 120/2017 DSG Art. 2 Section 24 valid from January 1, 2010, to May 24, 2018, last amended by Federal Law Gazette I No. 133/2009 DSG Art. 2 Section 24 valid from January 1, 2000, to December 31, 2009
GewO 1994 Section 152 now GewO 1994 Section 152 valid from August 1, 2002, last amended by Federal Law Gazette I No. 111/2002 GewO 1994 Section 152 valid from March 19, 1994, to July 31, 2002
IO Section 256 now IO Section 256 valid from June 26, 2017, last amended by Federal Law Gazette I No. 122/2017 IO Section 256 valid from July 1, 2010 to June 25, 2017, last amended by Federal Law Gazette I No. 29/2010
Ruling
W292 2301229-1/29E
IN THE NAME OF THE REPUBLIC
The Federal Administrative Court, with Judge Herwig ZACZEK as presiding judge and the expert lay judges Huberta MAITZ-STRASSNIG and Matthias SCHACHNER as assessors, has ruled on the appeal filed by XXXX, represented by BLS Rechtsanwälte GmbH, against the decision of the Data Protection Authority dated XXXX 2024, Ref. No. XXXX (co-participating party XXXX ), after conducting an oral hearing on 24.01.2025, rightly ruled: The Federal Administrative Court, with Judge Mag. Herwig ZACZEK as chairman and the expert lay judges Mag.a Huberta MAITZ-STRASSNIG and Mag. Matthias SCHACHNER as assessors, on the complaint roman 40 , represented by BLS Rechtsanwälte GmbH, against the decision of the Data Protection Authority of roman 40 2024, GZ. roman 40 (co-participating party roman 40), after conducting an oral hearing on January 24, 2025, correctly ruled:
A)
The appeal is partially upheld and the contested decision is amended so that the overall ruling reads as follows:
"The data protection complaint of XXXX (as data subject) dated XXXX 2024, amended by a submission dated XXXX 2024, against XXXX (controller), due to a violation of the right to erasure pursuant to Art. 17 GDPR, in that the controller continuously processes personal payment experience data relating to the data subject for commercial purposes in its database XXXX and makes it available to third parties, is "The data protection complaint of roman 40 (as data subject) dated roman 40 2024, amended by a submission dated roman 40 2024, against roman 40 (controller), due to a violation of the right to erasure pursuant to Article 17 GDPR, in that the controller continuously processes personal payment history data relating to the data subject for commercial purposes in its roman 40 database and makes it available to third parties,
a) With regard to the information "Completion of out-of-court settlement XXXX", the complaint is rejected as unfounded, as the further processing of this information for the purpose of credit assessment by the limited circle of authorized access to XXXX is covered by Art. 6 (1) (f) GDPR for a period of up to five years after the settlement of the out-of-court settlement. a) With regard to the information "Completion of out-of-court settlement roman 40", the complaint is rejected as unfounded, as the further processing of this information for the purpose of credit assessment by the limited circle of authorized access to roman 40 is covered by Article 6 (1) (f) GDPR for a period of up to five years after the settlement of the out-of-court settlement.
b) With regard to the processing of the information "XXXX - Score value Score value 0: No calculation possible" The following has been given and it has been determined that the processing of this information within XXXX for the purpose of making it available to third parties violates Article 22 (1) GDPR and must therefore be deleted in its current form in accordance with Article 17 (1) (d) GDPR."
b) Regarding the processing of the information "Roman 40 - Score 0: No calculation possible," the following has been given and it has been determined that the processing of this information within Roman 40 for the purpose of making it available to third parties violates Article 22 (1) GDPR and must therefore be deleted in its current form in accordance with Article 17 (1) (d) GDPR."
B) The appeal is inadmissible pursuant to Article 133, Paragraph 4 of the Federal Constitutional Law (B-VG). B) The appeal is inadmissible pursuant to Article 133, Paragraph 4 of the Federal Constitutional Law (B-VG).
Text
Reasons for the decision:
I. Course of proceedings: Roman one. Course of proceedings:
1. By email dated XXXX 2024, XXXX (hereinafter: co-participating party) contacted the data protection authority (hereinafter: respondent authority), filed a data protection complaint against XXXX (hereinafter: complainant), and essentially argued that the complainant violated its right to erasure under Article 17 GDPR by storing payment history data relating to the co-participating party in a database operated by XXXX in the course of its business. Thus, in 2019, the co-participating party entered into an out-of-court settlement with XXXX for a period of 36 months. concluded and paid the corresponding installments on time, which meant that the complainant had to change the credit rating of the co-participating party. However, this did not happen even after repeated correspondence with the complainant (most recently on XXXX 2024). Due to this credit rating and the resulting refusal of the complainant to calculate the XXXX score (forecasted probability of default in 12 months), the co-participating party is viewed by banks as a risk and is rejected for new loans. 1. By email dated roman 40 2024, roman 40 (hereinafter: co-participating party) contacted the data protection authority (hereinafter: the authority addressed), filed a data protection complaint against roman 40 (hereinafter: complainant) and essentially argued that the complainant violated its right to erasure under Article 17 GDPR by storing data in a database operated by it, the roman 40 stores payment history data on the co-participating party. In 2019, the co-participating party concluded an out-of-court settlement with roman 40 for a period of 36 months and paid the corresponding installments on time, which meant that the complainant had to change the co-participating party's credit rating. However, this did not occur even after repeated correspondence with the complainant (most recently on roman 40 2024). Due to this credit rating entry and the complainant's resulting refusal to calculate the roman 40 score (projected probability of default in 12 months), the co-participating party is viewed by banks as a risk and is rejected for new credit applications.
In a submission dated XXXX 2024, the co-participating party amended its data protection complaint using a form provided by the authority in question, stating that the complaint was based on the right to erasure. Thus, the entry regarding The co-participating party's entry in the complainant's creditworthiness database is inadmissible and must be deleted. Before October 2023, their XXXX score showed a probability of default of 0.60% (value 554); due to the unauthorized entry, a calculation is no longer possible (value 0), which is detrimental to the co-participating party. The co-participating party has repeatedly requested the deletion of the entry from the complainant by telephone and email, but has been referred to the lending institution, as this institution can amend or delete the entry. In a submission dated roman 40 2024, the co-participating party amended its data protection complaint using a form provided by the authority concerned, stating that the complaint is based on the right to deletion. Thus, the entry for the co-participating party in the complainant's creditworthiness database is inadmissible and must be deleted. Before October 2023, their Roman 40 score showed a probability of default of 0.60%. (value 554), and the unauthorized entry no longer allows calculation (value 0), which is detrimental to the co-participating party. The co-participating party repeatedly requested the deletion of the entry from the complainant by telephone and email, but was referred to the lending institution, as the latter could amend or delete the entry.
2. The complainant subsequently submitted a statement in a written submission dated March 21, 2024, through his legal representative, in which he stated in advance that he was responsible for data processing in connection with the operation of the credit database XXXX and the associated services.The subject matter of the proceedings is that the entry regarding the co-participating party's repayment loan with a final maturity date of XXXX and the settlement of the outstanding loan claims by means of an out-of-court settlement on XXXX is correct. There is no reason to delete the entry, in particular because the complainant operates as a credit agency and has a legitimate interest in providing credit reports. Furthermore, third parties, in particular the lending industry, which is legally obliged to conduct credit checks, have a legitimate interest in creditor protection, as information regarding past payment defaults remains relevant for assessing the creditworthiness of the person concerned. 2. The complainant subsequently submitted a statement in a written submission dated March 21, 2024, through his legal representation, in which he stated in advance that he was responsible for data processing in connection with the operation of the Roman 40 credit database and the associated services. The subject matter of the proceedings is that the entry regarding the co-participating party's repayment loan, which matures on Roman 40 and the settlement of the outstanding loan claims through out-of-court settlement on Roman 40, is correct. There is no reason to delete the entry, particularly since the complainant operates as a credit agency and has a legitimate interest in providing credit reports. Furthermore, third parties, in particular the lending industry, which is legally obliged to conduct credit checks, have a legitimate interest in creditor protection, as information regarding past payment defaults remains relevant for assessing the creditworthiness of the party concerned.
The entry in question does not constitute information from the insolvency database and therefore does not fall within the scope of the ECJ case law of December 7, 2023, cited by the respondent authority. Consequently, a minimum five-year observation period for payment defaults derived from the Capital Adequacy Regulation was used as a guideline for the retention period of relevant information. A case-by-case assessment and balancing of interests were conducted with reference to the more specifically identified case law of the Supreme Court and Administrative Court regarding the processing of historical payment history data from non-public files. Since less than two years have passed since the completion of the out-of-court settlement underlying the entry (as the relevant point in time), and no reasons have been asserted in the individual case why premature deletion should be carried out based on a case-by-case review, creditor protection and thus the legitimate interests of third parties should be given greater priority than the interest of the data subject in having the payment history data in question deleted.
To the extent that the co-participating party argues that a non-existent XXXX score could be considered insolvency, this is not the case, and there is simply insufficient information available to calculate it. Furthermore, the complainant stated that no decisions would be made based on this value that could affect the legitimate interests of the co-participating party. Compliance with Article 22 of the GDPR would be ensured (contractually) by the complainant in the event of the value being communicated to customers. To the extent that the co-participating party stated that a non-existent Roman 40 score could be considered insolvency, this was not the case and that there was simply insufficient information available to calculate it. Furthermore, the complainant stated that no decisions would be made based on this value that could affect the legitimate interests of the co-participating party. Compliance with Article 22 of the GDPR would be ensured (contractually) by the complainant in the event of the value being communicated to customers.
3. On March 22, 2024, and March 27, 2024, two supplementary statements were received by the respondent authority from the co-participating party, stating that the entry in the complainant's creditworthiness database did not serve the legitimate interests of third parties and that further storage was therefore inadmissible.
4. On April 18, 2024, the complainant submitted a statement to the respondent authority on this matter, arguing that the co-participating party had been informed of the entry of the down payment loan in the creditworthiness database upon signing the loan agreement with XXXX in XXXX 2015. Furthermore, the XXXX score had not been calculated, which is why, in the complainant's view, no decisions by third parties were made based on this value. Furthermore, a five-year retention period for the entry to fulfill the out-of-court settlement of XXXX was justified by the legitimate (creditor protection) interests of third parties. 4. The complainant submitted a statement to the authority concerned on April 18, 2024, arguing that the co-participating party had been informed of the entry of the down payment loan in the creditworthiness database upon signing the loan agreement with roman 40 in roman 40 2015. Furthermore, no calculation of the roman 40 score had been carried out, which is why, in the complainant's view, no decisions by third parties were made based on this score. Furthermore, a five-year retention period for the entry to fulfill the out-of-court settlement with roman 40 was justified by the legitimate (creditor protection) interests of third parties.
5. The co-participating party subsequently filed a statement on May 13, 2024, in which it argued that the data protection complaint was directed against the entry of the settlement of the installment loan and the lack of calculation of the XXXX score, and that the five-year retention period applied by the complainant was still considered inadmissible, especially since no such entry for the co-participating party appeared in comparable credit databases. 5. The co-participating party subsequently filed a statement on May 13, 2024, in which it argued that the data protection complaint was directed against the entry of the settlement of the installment loan and the lack of calculation of the Roman 40 score, and that the five-year retention period applied by the complainant was still considered inadmissible, especially since no such entry for the co-participating party appeared in comparable credit databases.
6. The co-participating party subsequently submitted a further statement on August 1, 2024.
7. By decision of the respondent authority dated XXXX 2024, file reference XXXX, the authority upheld the co-participating party's data protection complaint for a violation of the right to erasure and found that the complainant had violated the co-participating party's right to erasure by continuously processing payment experience data (specifically, "Settlement of out-of-court settlement XXXX") and the XXXX score value "Score value 0: No calculation possible" and not deleting it from its database (point 1 of the decision). Furthermore, the complainant was ordered to completely delete the entries mentioned under point 1 of the decision within a period of two weeks (point 2 of the decision). 7. By decision of the respondent authority dated Roman 40 2024, file reference XXXX. Roman 40, the court upheld the co-participating party's data protection complaint for violation of the right to erasure and found that the complainant had violated the co-participating party's right to erasure by continuously processing payment experience data (specifically, "settlement of out-of-court settlement Roman 40") and the Roman 40 score "score value 0: No calculation possible" and not deleting it from its database (ruling point 1). Furthermore, the complainant was ordered to completely delete the entries mentioned under ruling point 1 within a period of two weeks (ruling point 2).
In its justification for ruling point 1, the authority in question essentially stated that the complainant had processed data of the co-participating party (specifically, the entries in the creditworthiness database mentioned in the ruling) and that a balancing of interests had to be carried out in this regard. The complainant's economic interest in being able to operate as a credit information agency, as well as the interest of third parties in obtaining information to assess the creditworthiness of the co-participating party, are counterbalanced by the interests and rights of the co-participating party, whose economic advancement is impaired by such processing. The assessment expressed by the ECJ in its judgment of December 7, 2023, in Cases C-26/22 and C-64/22, according to which the processing of data on insolvencies by a credit information agency constitutes a serious interference with fundamental rights, must also apply to the processing of other historical payment experience data. Furthermore, the statutory retention periods for public insolvency registers (usually up to one year after the termination of insolvency proceedings) are also relevant for other historical payment experience data processed by credit information agencies due to the lack of independent statutory retention periods. In view of the current settlement of the out-of-court settlement on XXXX and due to a lack of indications that would justify further processing, further data processing is not necessary. With regard to the XXXX score calculated by the complainant (“Score value 0: No calculation possible”), it can be assumed that this is personal data of the co-participating party, and it is not apparent to what extent this serves the interest of providing credit information or creditor protection. In its justification for point 1 of the ruling, the authority concerned essentially stated that the complainant had processed data of the co-participating party (specifically, the entries in the credit database mentioned in the ruling) and that a balancing of interests had to be carried out in this regard. The economic interest of the complainant in being able to carry out the business of providing credit information and the interest of third parties in receiving information to assess the creditworthiness of the co-participating party were counterbalanced by the interests and rights of the co-participating party, whose economic advancement would be impaired by such processing. The assessment made by the ECJ in its judgment of December 7, 2023, in Cases C-26/22 and C-64/22, according to which the processing of data on insolvencies by a credit reporting agency constitutes a serious interference with fundamental rights, must also apply to the processing of other historical payment experience data. Furthermore, due to the lack of independent statutory time limit regulations, the statutory retention periods for public insolvency registers (usually up to one year after the termination of insolvency proceedings) are also significant for other historical payment experience data processed by credit reporting agencies. In view of the current settlement of the out-of-court settlement at Römer 40 and the lack of any indications that would justify further processing, further data processing is not necessary. With regard to the Roman 40 score calculated by the complainant, “Score value 0: No calculation possible”, it can be assumed that this is personal data of the party involved and it is not clear to what extent this serves the interest of providing credit information or creditor protection.
8. The complainant, represented by a court, filed an appeal against the decision on XXXX 2024, arguing in summary that the ECJ's case law in Joined Cases C-26/22 and C-64/22 of December 7, 2023, relied on by the respondent authority, was not relevant to the case, as the legal assessments contained therein referred to data from public insolvency databases and publicly accessible data, respectively, and the respondent authority erred in law by failing to differentiate between the origin of the data. Furthermore, the present data processing did not constitute a serious infringement of fundamental rights, as in the case of an out-of-court settlement, the creditworthiness of a data subject would remain largely unaffected – in contrast to the discharge of residual debt, which must be publicly announced. Furthermore, the insolvency law deletion periods could not be used to mandate the deletion of other historical payment experience data from private databases, as these served a completely different purpose – general creditworthiness assessment, independent of any insolvency proceedings. 8. Against this, the complainant, represented by a legal representative, filed an appeal against the decision at Roman 40, 2024, and summarized that the ECJ case law in Joined Cases C-26/22 and C-64/22 of December 7, 2023, relied on by the respondent authority, was not relevant to this case, as the legal assessments contained therein related to data from public insolvency databases and publicly accessible data, respectively, and the respondent authority erred in law by failing to differentiate between the origin of the data. Furthermore, the present data processing does not constitute a serious infringement of fundamental rights, since in the event of an out-of-court settlement, the creditworthiness of a data subject remains largely unaffected – in contrast to the publicly announced discharge of residual debt. Furthermore, the insolvency law deletion periods cannot be used to mandate the deletion of other historical payment experience data from private databases, as these serve a completely different purpose – the general creditworthiness assessment, separate from any potential insolvency proceedings.
The complainant also criticized the inadequate case-by-case review by the authority in charge, particularly since the complainant's legal basis and legitimate interest in the data processing in question exist within the scope of the credit agency's business. The legitimate interest of third parties in creditor protection and risk minimization is also not sufficiently taken into account, especially since the co-participating party has experienced payment irregularities in the past, and a shorter retention period would run counter to the essential requirements of the entire credit industry. The Capital Adequacy Regulation stipulates that credit institutions must assess payment defaults for customer evaluation and risk assessment purposes within a period of at least five years, and this is consistent with current, cited case law from the Supreme Court and Administrative Court.
With regard to the XXXX score "Score value 0: No calculation possible," the complainant takes the legal view that this is generally calculated from multiple personal data items, but that this was not done due to a lack of sufficient information on the co-participating party. Therefore, no personal data of the co-participating party was processed in this regard. Removing this entry could be interpreted as an increased risk of default and would therefore not be in the interests of the co-participating party, especially since the co-participating party had suggested a specific calculation to the complainant. With regard to the Roman 40 score "Score value 0: No calculation possible," the complainant takes the legal view that this is generally calculated from multiple personal data items, but that this was not done due to a lack of sufficient information on the co-participating party. Therefore, no personal data of the co-participating party was processed in this regard. Removing this entry could be interpreted as an increased risk of default and would therefore not be in the interests of the co-participating party, especially since the co-participating party had suggested a specific calculation to the complainant.
9. On October 3, 2024, the authority in question submitted the appeal against the decision, along with the relevant administrative files, to the Federal Administrative Court.
10. On November 13, 2024, a statement from the co-participating party was received upon court order. According to this, the complainant, contrary to his complaint, had indeed calculated the XXXX score and thus had sufficient information about the co-participating party. 10. On November 13, 2024, a statement was received from the co-participating party upon court order. According to this, the complainant, contrary to his complaint, had indeed calculated the Roman 40 score and thus had sufficient information about the co-participating party.
11. The complainant, through his legal representation, submitted statements dated November 26, 2024, and November 28, 2024, and stated, upon court request, that the entry in the credit database at issue in the proceedings was still being processed. Furthermore, it was no longer technically possible to calculate the XXXX score with the entry of the out-of-court settlement, and the score in question did not contain any information on the co-participating party and therefore did not constitute personal data. 11. The complainant, through his legal representation, submitted a statement in written submissions dated November 26, 2024 and November 28, 2024 and stated, in response to the court's request, that the entry in the creditworthiness database that was the subject of the proceedings was still being processed. Furthermore, calculating the Roman 40 score with the entry of the out-of-court settlement was no longer technically possible. Furthermore, the score in question does not contain any information on the co-participating party and therefore does not constitute personal data.
12. On January 24, 2025, an oral hearing in the present case took place before the Federal Administrative Court, during which the deciding Senate discussed the factual and legal situation in detail with the parties.
13. Following the oral hearing, the parties submitted further documentary evidence at the request of the court and essentially reiterated their respective previously expressed legal positions.
II. The Federal Administrative Court considered: Roman II. The Federal Administrative Court considered:
II.1. Findings: Roman II.1. Findings:
II.1.1. Regarding the complainant: roman II.1.1. Regarding the complainant:
The complainant, XXXX, operates a business pursuant to Section 152 of the Trade Regulation Act 1994, "Credit Information Agency." The complainant, roman 40, operates a business pursuant to Section 152 of the Trade Regulation Act 1994, "Credit Information Agency."
As part of its business, the complainant operates a database designated XXXX. As part of its business, the complainant operates a database designated roman 40.
The XXXX database contains consumer credit information and is described by the complainant on its website as "the key tool for responsible and rapid credit approval." Accordingly, only banks, lending insurance companies, and leasing companies based in the European Single Market can register and query information. The goal is to protect the lending industry from financial damage and to ensure that private individuals do not take out loans from different institutions that they cannot repay in total. The Roman 40 contains consumer credit connections and is described by the complainant on its website as "the crucial tool for responsible and rapid lending." Only banks, lending insurance companies, and leasing companies based in the European internal market can therefore register and query information. The goal is to protect the lending industry from financial damage and to ensure that private individuals do not take out loans from different institutions that they cannot repay in total.
The following information can be found under the "Data Protection" section on the complainant's website regarding XXXX [https://www. XXXX , last accessed on March 11, 2025].
"2. Processing of debtor data within the scope of XXXX "2. Processing of debtor data within the scope of roman 40
The XXXX is a database in which information about certain financing granted to natural persons, about certain joint liabilities assumed by such persons, and, if applicable, about registered payment defaults is stored.
We are the operator, authorized access provider, and also the data protection controller within the meaning of Article 4 Z 7 GDPR of XXXX . In addition, we are also the central information point for affected debtors. We are the operator, authorized access provider, and also the data protection controller within the meaning of Article 4 Paragraph 7, GDPR of Roman 40 . In addition, we are also the central information point for affected debtors.
2.1. Who has access to XXXX?
Only banks, lending insurance companies, and leasing companies based in the European internal market (authorized access providers) can access XXXX.
Only banks, lending insurance companies, and leasing companies based in the European internal market (authorized access providers) can access roman 40.
2.2. When is personal data processed at XXXX?
Personal data will be passed on to XXXX and processed by us in connection with credit and leasing agreements involving amounts exceeding EUR 300.00, as well as the rejection of credit or leasing applications involving amounts exceeding EUR 7,000.00. Personal data in connection with credit and leasing agreements involving amounts exceeding EUR 300.00, as well as the rejection of credit or leasing applications involving amounts exceeding EUR 7,000.00, will be passed on to roman 40 and processed by us there.
For example, if a debtor is granted a loan for an amount of EUR 1,000.00, their personal data will be passed on to XXXX. This also applies, for example, if their loan application for, say, EUR 8,000.00 is rejected.
For example, if a debtor is granted a loan for an amount of EUR 1,000.00, their personal data will be passed on to roman 40. This also applies, for example, if their loan application for, say, EUR 8,000.00 is rejected.
2.3. Which personal data is processed by XXXX?
2.3. Which personal data is processed by roman 40? Personal data will only be processed in XXXX if the above-mentioned circumstances apply.
Personal data will only be processed in Roman 40 if the above-mentioned circumstances apply.
The following personal data will be processed:
Full names,
Date of birth,
Full address (street, number, postal code, place of residence),
Account number,
Previous names,
Previous address,
An existing XXXX number, if applicable.
An existing Roman 40 number, if applicable.
In addition, the following information will be processed in Roman 40:
Loan or leasing details: Lender/lessor, guarantor, loan type/lease type, loan amount/lease amount, currency, term, loan increase, installment start date, installment amount, loan/lease grant date;
Rejection of loan or leasing applications; If applicable, payment defaults: 3rd reminder, due date, lawsuit, execution, inventory of assets, write-off/uncollectibility;
Reason for termination of the loan/lease agreement: full payment, partial payment, out-of-court and court settlement, transfer of claims, out-of-court settlement, payment plan, discharge of residual debt, reorganization plan, restructuring).
Blocking notices: Data blocks to clarify the identity and traceability of data subjects (duplicate block, personal block, lack of traceability block), special block (e.g., if the data subject disputes an entry), general block (e.g., if an adult representative has been appointed or assumed for a data subject), information block (persons with insolvency information), clarification block (verification of the accuracy of an existing entry).
2.4. What happens to the personal data processed in XXXX? 2.4. What happens to the personal data processed in Roman 40?
The data contained in XXXX is not publicly accessible. It can only be accessed by authorized persons in the case of a legitimate legal interest (e.g., the existence of a business transaction or an existing contractual relationship with an affected debtor). The accessed data will be used by the respective authorized person only for the specific purpose of XXXX. The data contained in roman 40 is not publicly accessible. It can only be accessed by authorized persons in the case of a legitimate legal interest (e.g., the existence of a business transaction or an existing contractual relationship with an affected debtor). The accessed data will be used by the respective authorized person only for the specific purpose of roman 40.
2.5. Possible recipients of personal data processed in XXXX
As described, data entered in XXXX can only be accessed by authorized persons. If data from affected debtors is processed in XXXX, this data could therefore be received by other authorized parties if a legal interest exists. The categories of such potential recipients are banks, lending insurance companies, and leasing companies based in the European internal market. As described, data entered in the Roman 40 can only be accessed by authorized parties. If data from affected debtors is processed in the Roman 40, this data could therefore be received by other authorized parties if a legal interest exists. The categories of such potential recipients are banks, lending insurance companies, and leasing companies based in the European internal market.
We also use processors for data processing within the XXXX framework.
We also use processors for data processing within the Roman 40 framework. These are the following data processors:
XXXX Roman 40
XXXX Roman 40
Purpose of data processing in XXXX Purpose of data processing in Roman 40
The purpose of data processing is to minimize the risk of loan defaults as best as possible. The aim is to ensure that loans are not taken out from different banks that, in total, exceed the applicant's repayment capacity. Furthermore, data processing also aims to ensure that (potential) borrowers do not incur loan liabilities beyond their means. Data processing enables banks, in particular, to specifically identify such cases of insufficient creditworthiness and, if necessary, to refuse the granting of credit. This can prevent potential over-indebtedness of prospective borrowers.
Duration of retention of debtor data in XXXX Duration of retention of debtor data in Roman 40
If a loan application is rejected due to insufficient creditworthiness, the personal data of the affected debtor will be deleted no later than six months after the rejection.
If a legally binding determination of the non-existence of a debt is made, all relevant entries in the XXXX will be deleted immediately. If a legally binding determination of the non-existence of a debt is made, all relevant entries in the Roman 40 will be deleted immediately.
If a loan or lease debt is fully repaid without any payment default and the loan or lease agreement is thus terminated, the data will be deleted no later than 90 days after repayment.
If a loan or lease debt is fully repaid after a payment default, the data will be deleted no later than five years after the debt has been fully repaid, unless the non-existence of a payment default is legally binding. In this case, the data will be deleted no later than 90 days after the debt has been fully repaid, or if the determination was made after this period, immediately after the legally binding determination. In all other cases, deletion will occur no later than seven years after the debt has been repaid or another debt-discharging event has occurred.
Master data (personal data) will be deleted if no changes are made to the XXXX data relating to a person within seven years. For the data subject's right (upon request) to erasure (Article 17 GDPR) and to object (Article 21 GDPR), see Section 3.3. Master data (personal data) will be deleted if no changes are made to the Roman 40 data relating to a person within seven years. For the data subject's right (upon request) to erasure (Article 17 GDPR) and to object (Article 21 GDPR), see Section 3.3.
Information on data processing in the context of score calculation
When creating score models, we conduct profiling. This involves creating a forecast of future events (probability of payment default) based on collected information and past experience. The result calculated as part of this data processing is a score value.
The score values are generally calculated based on certain information stored or processed about a data subject (input variables). Information and data concerning special categories of personal data within the meaning of Article 9 (1) GDPR are not included in the calculation. The calculation of scores is generally based on specific information stored or processed about a data subject (input variables). Information and data concerning special categories of personal data within the meaning of Article 9 (1) GDPR are not included in the calculation.
The data processed about a person in XXXX will be fully disclosed in the information provided by XXXX in accordance with Article 15 GDPR.The data processed about a person in Roman 40 will be fully disclosed in the information provided by Roman 40 in accordance with Article 15 GDPR.
Score values can support contractual partners in any decision-making process regarding whether to establish, continue, or terminate a contractual relationship and can be incorporated into risk management, with the risk assessment of a potential default and the creditworthiness assessment being carried out by the direct (potential) business partner. These score values will only be transmitted to third parties with express consent or if these values do not have a significant influence on the decision-making process.
Contractual partners of XXXX (authorized access parties) can therefore request credit reports and score values on an ad hoc basis in order to better assess the default risk associated with a (potential) business relationship. Contractual partners of Roman 40 (authorized access parties) can therefore request credit reports and score values on an ad hoc basis in order to better assess the default risk associated with a (potential) business relationship.
The following scores are determined for natural persons under the above conditions:
The XXXX score is calculated based on the information stored and processed about a specific data subject. The Roman 40 score is calculated based on the information stored and processed about a specific data subject.
The following data types (variables), if available, can be included in the score calculation and can have a positive, negative, or neutral impact:
Borrower age – the older (i.e., the older), the better
Maximum term of outstanding contracts – the shorter, the better
Monthly charge – up to EUR 500 per month, the risk increases; from EUR 500 upwards, it decreases again
Number of creditor groups – worse from two upwards
Federal state, first digit of zip code – rural better than urban
Maximum term of contracts in the last 12 months – the longer the term, the worse
Age of the most recent outstanding mortgage – the smaller (i.e., younger), the worse
Most common loan type – credit rating is poor, everything else is good
Monthly charge of a person as a co-obligor – up to EUR 500 per month, the risk increases; from EUR 500 upwards, it decreases again
Number of co-obligors of the open inquiry – the fewer, the better
Number of open credit lines – one is bad, everything else is good
Number of open credit card contracts – credit card is good
Proportion of paid installments to total installments for downpayment loans – the higher, the better
II.1.2. Regarding the information in the proceedings regarding the co-participating party in the complainant's private credit database XXXX: Roman II.1.2. Regarding the information in the proceedings regarding the co-participating party in the complainant's private credit database Roman 40:
In connection with the exercise of his business, the complainant stores, among other things, the following entry regarding the co-participating party in XXXX:
XXXX Roman 40
Stored personal data
XXXX number: XXXX Roman 40 number: Roman 40
Last name: XXXX Last name: Roman 40
First name: XXXX First name: Roman 40
Date of birth: XXXX Date of birth: Roman 40
Address: XXXX Address: Roman 40
Previous address: XXXX Previous address: Roman 40
Loan details
Settled loan
Loan type/loan amount: EUR 15,000.00 installment loan
Lender: XXXX Lender: Roman 40
Loan account number: XXXX Loan account number: Roman 40
Current loan number: 1
Term: 84 months
Instalment: monthly from 2015 - XXXX Installment: monthly from 2015 - Roman 40
Maturity date/loan end date: XXXX Maturity date/loan end date: Roman 40
Grant date: XXXX Grant date: Roman 40
Settlement method: Out-of-court settlement XXXX Settlement method: Out-of-court settlement Roman 40
Transmission recipient XXXX Transmission recipient Roman 40
[…]
Information: XXXX Information: Roman 40
Date: 2023-10-13
Recipient: XXXX Recipient: Roman 40
XXXX Score Roman 40 Score
The XXXX score predicts the probability of default in 12 months in percent. The Roman 40 score predicts the probability of default in 12 months in percent.
Score value 0: No calculation possible
Probability of default - - "
The entry maintained by the complainant in his creditworthiness database is based on the settlement of an instalment loan between the co-involved party and a named credit institution by way of an out-of-court settlement on XXXX. The fact that the instalment loan was settled with XXXX through an out-of-court settlement was not disclosed by XXXX either in 2019, i.e. This information was not reported to the XXXX database at XXXX either at the time of the out-of-court settlement or at the time of the payment plan being fulfilled in XXXX. This information was only recorded in October 2023 at the instigation of XXXX itself, after the co-participating party had pointed out the fact of the payment plan being fulfilled for the out-of-court settlement with XXXX in the course of a request for self-disclosure in September 2023. The entry maintained by the complainant in his creditworthiness database is based on the settlement of an instalment loan between the co-participating party and a named credit institution by means of an out-of-court settlement by roman 40. The fact that the instalment loan with roman 40 was settled by means of an out-of-court settlement was not reported by roman 40 to the roman 40 database at roman 40 either in 2019, i.e., at the time of the out-of-court settlement or at the time of the payment plan being fulfilled in roman 40. This information was only recorded in October 2023 at the instigation of roman 40 itself, after the co-participating party pointed out the fact of the fulfillment of the payment plan for the out-of-court settlement with roman 40 in the course of a self-disclosure application in September 2023.
The aforementioned information on the co-participating party was made available by the complainant for inspection and further processing to third parties in the course of exercising its business as a credit agency for credit relationships for the purpose of assessing the creditworthiness of potential customer relationships.
In any event, XXXX, a branch of XXXX, is among the recipients of the information in question. In any event, roman 40, a branch of roman 40, is among the recipients of the information in question.
A credit application by the co-participating party for a consumer loan with the product name XXXX was rejected by XXXX. The rejection letter reads verbatim as follows [formatting not as in the original]: A credit application by the co-participating party for a consumer loan with the product name roman 40 was rejected by The Roman 40 was rejected. The rejection letter reads verbatim as follows [formatting not as in the original]:
"[...]
Vienna, XXXX 2024 Vienna, Roman 40 2024
Information about your credit product request
Thank you for your interest in the XXXX . Our goal is to help you finance big dreams, small wishes, and important purchases in a relaxed and responsible manner. Thank you for your interest in the Roman 40 . Our goal is to help you finance big dreams, small wishes, and important purchases in a relaxed and responsible manner.
Unfortunately, our analysis has shown that we cannot make you an offer at the moment.
A credit decision is based on numerous factors and is mathematically calculated anonymously and automatically according to a predefined point system. Please do not take this decision personally. For better understanding, we have listed the reason(s) for our decision here:
The reasons for our decision in detail
XXXX Roman 40
· We were provided with the following Credit agency information about you has been sent.
Unfortunately, until the corresponding attribute has been deleted (a note of completion is not sufficient), we cannot make you an offer. If you have any questions about the information you have sent us, please contact the credit agency directly in writing, ideally enclosing a copy of your ID.
· Unfortunately, we cannot make you an offer because XXXX cannot provide us with a scoring value. This is due to technical problems with XXXX.
· Unfortunately, we cannot make you an offer because Roman 40 cannot provide us with a scoring value. This is due to technical problems with Roman 40.
If you have any questions about this, please contact XXXX directly.
What can you do now?
If you have any questions about the credit agency information presented, please contact:
· XXXX · Roman 40
· If you have any objections to the outcome of the decision, you have the opportunity to express your opinion. to XXXX and to substantiate your objections. If this is the case, XXXX will examine the objections you have raised. You can write to XXXX at the following address: XXXX or XXXX . […]“· If you have objections to the outcome of the decision, you have the opportunity to present your point of view to roman 40 and to substantiate your objections. If this is the case, roman 40 will examine the objections you have raised. You can write to roman 40 at the following address: roman 40 or roman 40 . […]”
II.1.3. Regarding the data subject's requests for deletion from the complainant: Roman II.1.3. Regarding the data subject's requests for deletion from the complainant:
On XXXX 2024, the co-participating party requested that the complainant delete the entry stored about him regarding the settlement of the instalment loan through out-of-court settlement and the calculated XXXX score from the complainant's creditworthiness database. The complainant did not comply with the deletion request. On Roman 40 2024, the co-participating party requested that the complainant delete the entry stored about him regarding the settlement of the instalment loan through out-of-court settlement and the calculated Roman 40 score from the complainant's creditworthiness database. The complainant did not comply with the deletion request.
II.1.4. On the financial situation of the co-participating party: Roman II.1.4. On the financial situation of the co-participating party:
Regarding the out-of-court settlement with XXXX: Due to a job loss in 2016, the co-participating party entered into a modified installment payment agreement with XXXX in January 2017 to reduce the monthly payment burden. The co-participating party then adhered to the new installment agreement until 2019. Due to compound interest, the loan balance nevertheless increased, which is why the co-participating party applied to XXXX in 2019 for a new installment agreement of 36 monthly installments of €200 each, with simultaneous discharge of residual debt. The payment plan of the settlement thus ended in XXXX. The amount that XXXX ultimately waived results from compound interest. Background to the out-of-court settlement with roman 40: Due to a job loss in 2016, the co-participating party entered into a modified installment agreement with roman 40 in January 2017 to reduce the monthly payment burden. The co-participating party then adhered to the new installment agreement until 2019. Due to compound interest effects, the loan balance nevertheless increased, which is why the co-participating party applied to roman 40 in 2019 for a new installment agreement of 36 monthly installments of €200 each, with simultaneous discharge of residual debt. The settlement payment plan thus ended in roman 40. The amount that roman 40 ultimately waived results from compound interest.
Since the settlement of the installment loan with XXXX with an out-of-court settlement on XXXX, there have been no discernible payment defaults in the case of the co-participating party. The co-participating party has a secure job as a professional driver with XXXX and receives an income of approximately €2,200 per month from this. Despite the entry relating to the installment loan with XXXX, which is the subject of these proceedings, the co-participating party was able to conclude two consecutive leasing agreements with XXXX. Since the settlement of the installment loan with Römische 40 with an out-of-court settlement on Römische 40, there have been no discernible payment defaults in the case of the co-participating party. The co-participating party has a secure job as a professional driver with Römische 40 and receives an income of approximately €2,200 per month from this. Despite the entry relating to the down payment loan at roman 40, which is the subject of these proceedings, the co-participating party was able to conclude two consecutive leasing agreements with roman 40.
II.2. Evaluation of evidence: roman II.2. Evaluation of evidence:
II.2.1. Re II.1.1. (Regarding the complainant): roman II.2.1. Re roman II.1.1. (Regarding the complainant):
This finding is based on the unobjectionable contents of the file, and the complainant's commercial activity is public knowledge.
II.2.2. Re II.1.2. Storage in the complainant's creditworthiness database and disclosure of the information to third parties: roman II.2.2. Re roman II.1.2. Storage in the complainant's credit database and disclosure of information to third parties:
The relevant findings were made based on the consistent statements of the co-participating party and the complainant.
The fact that the complainant made the information in question about the complainant available to third parties is evident from the complainant's business purpose, the consistent statements of the parties, and the relevant official knowledge of the Federal Administrative Court. According to its own statements, the co-participating party applied for a consumer loan from XXXX several times, but the requested consumer loan was rejected in each case, citing the information provided by the complainant's company for comparison with XXXX and the information "scoring value 0 - no calculation possible" [see XXXX's rejection letters dated XXXX 2024 and February 11, 2025, the latter letter referring to a trial loan application submitted by the co-participating party during the proceedings before the Federal Administrative Court]. The fact that the complainant made the information in question available to third parties is evident from the complainant's business purpose, the parties' consistent statements, and the relevant official knowledge of the Federal Administrative Court. According to its own statements, the co-participating party applied for a consumer loan from roman 40 several times, but the requested consumer loan was rejected each time, citing the information provided by the complainant's company for comparison with roman 40 and the information "scoring value 0 - no calculation possible" [see roman 40's rejection letters of roman 40 2024 and February 11, 2025, the latter letter referring to a trial loan application submitted by the co-participating party during the proceedings before the Federal Administrative Court].
II.2.3. Re II.1.3. (Regarding the co-participating party's request for deletion): roman II.2.3. Re roman II.1.3. (Regarding the co-participating party's request for deletion):
This finding is based on the co-participating party's undisputed submissions in the amended data protection complaint dated XXXX 2024 and, in particular, the complainant's statements in the appeal against the decision dated XXXX 2024, according to which the co-participating party submitted a request for deletion of the entry concerning the repayment loan by email dated XXXX 2024. The fact that the complainant did not comply with this request for deletion is evident from the unobjectionable statements made by the complainant in his statement of November 26, 2024, as well as the statements made by the complainant's representatives before the Federal Administrative Court. This finding is based on the undisputed submissions of the co-participating party in the amended data protection complaint of Roman 40, 2024, and in particular on the complainant's statements in the appeal against the decision of Roman 40, 2024, according to which the co-participating party submitted a request for deletion of the entry for the repayment loan by email of Roman 40, 2024. The fact that the complainant did not comply with this request for deletion is evident from the unobjectionable statements made by the complainant in his statement of November 26, 2024, as well as the statements made by the complainant's representatives before the Federal Administrative Court.
II.2.4. Re II.1.4. Findings regarding the financial circumstances of the co-participating party: Roman II.2.4. Regarding Roman II.1.4. Findings regarding the financial circumstances of the co-participating party:
The relevant findings are based primarily on the documentary evidence included in the file [correspondence between the co-participating party and credit institutions or the complainant itself]. The co-participating party most recently described its current financial situation during the oral hearing before the Federal Administrative Court; the relevant information is consistent with the rest of the file and was not disputed by the complainant.
II.3. Legal assessment: Roman II.3. Legal assessment:
Since the subject matter of the appeal is a decision by the Data Protection Authority, the Senate has jurisdiction pursuant to Section 27 of the Data Protection Act. Since the subject matter of the appeal is a decision by the Data Protection Authority, the Senate has jurisdiction pursuant to Section 27 of the Data Protection Act.
Regarding award point A) – Partial grant and amendment of the award:
II.3.1.1. Applicable law: Roman II.3.1.1. Applicable Law
The relevant provisions of the Federal Act on the Protection of Natural Persons with regard to the Processing of Personal Data (Data Protection Act - DSG), as amended by Federal Law Gazette I No. 24/2018, read in part, including the heading, as follows:
"Fundamental right to data protection
Section 1. (1) Everyone has the right to confidentiality of personal data concerning them, in particular with regard to respect for their private and family life, provided that there is a legitimate interest in doing so. The existence of such an interest is excluded if data is not accessible to a confidentiality claim due to its general availability or its inability to trace back to the data subject. Paragraph 1. (1) Everyone has the right to confidentiality, in particular with regard to respect for their private and family life, Right to confidentiality of personal data concerning him or her, provided there is a legitimate interest in doing so. The existence of such an interest is excluded if data cannot be subject to a confidentiality claim due to their general availability or their inability to trace them back to the data subject.
(2) To the extent that the use of personal data is not in the vital interest of the data subject or with his or her consent, restrictions on the right to confidentiality are only permissible to protect the overriding legitimate interests of another person. In the case of interventions by a state authority, restrictions are only permissible on the basis of laws that are necessary for the reasons stated in Article 8 (2) of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), Federal Law Gazette No. 210/1958. Such laws may only provide for the use of data that, by their nature, are particularly worthy of protection to protect important public interests and must simultaneously establish appropriate safeguards for the protection of the data subject's interests in confidentiality. Even in the case of permissible restrictions, the interference with the fundamental right may only be carried out in the mildest manner that achieves the objective. (2) Insofar as the use of personal data is not in the vital interest of the data subject or with his consent, restrictions on the right to confidentiality are only permissible to protect the overriding legitimate interests of another person, and in the case of interventions by a state authority only on the basis of laws that are necessary for the reasons stated in Article 8, paragraph 2, of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), Federal Law Gazette No. 210 of 1958. Such laws may only provide for the use of data which, by their nature, are particularly worthy of protection to protect important public interests and must, at the same time, establish appropriate guarantees for the protection of the data subject’s interests in confidentiality. Even in the case of permissible restrictions, the interference with the fundamental right may only be carried out in the mildest way that achieves the objective.
[…]”
“Complaint to the Data Protection Authority
Section 24. (1) Every data subject has the right to lodge a complaint with the Data Protection Authority if they believe that the processing of personal data concerning them violates the GDPR or Section 1 or Article 2, Chapter 1.
(2) The complaint must contain:
1. the designation of the right considered to have been violated,
2. to the extent reasonable, the designation of the legal entity or body to which the alleged violation of law is attributed (respondent),
3. the facts from which the violation of law is derived,
4. the grounds on which the allegation of illegality is based,
5. the request to to establish the alleged infringement, and
6. the information necessary to assess whether the complaint was filed in a timely manner.
(3) A complaint shall be accompanied, where appropriate, by the underlying application and any response from the respondent. In the event of a complaint, the data protection authority shall provide further assistance at the request of the data subject.
[…]"
The relevant provisions and recitals of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119 of 4 May 2016, hereinafter: GDPR, read in extracts, including the heading:
"Article 4
Definitions
For the purposes of this Regulation, the following definitions shall apply:
(1) "personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(2) "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
…
(4) "Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;
…
(7) "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
…
(10) “Third party” means a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and the persons authorised to process the personal data under the direct authority of the controller or processor;
…
Article 5
Principles governing the processing of personal data
(1) Personal data must:
a) be processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
b) be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered incompatible with the original purposes (“purpose limitation”) in accordance with Article 89(1);
(c) be adequate, relevant and limited to what is necessary for the purposes of the processing ('data minimization');
(d) be accurate and, where necessary, kept up to date; every reasonable step shall be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ('accuracy');
(e) be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed; personal data may be stored for a longer period provided that the personal data are processed solely for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes in accordance with Article 89(1), subject to the implementation of appropriate technical and organizational measures required by this Regulation to safeguard the rights and freedoms of the data subject ('storage limitation');
f) be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical and organizational measures (“integrity and confidentiality”);
(2) The controller shall be responsible for compliance with paragraph 1 and shall be able to demonstrate compliance (“accountability”).
Article 6
Lawfulness of processing
(1) Processing shall be lawful only if at least one of the following conditions is met:
a) the data subject has given consent to the processing of personal data relating to him or her for one or more specific purposes;
b) the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
[…]
f) processing is necessary to protect the legitimate interests of the controller or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
[…]”
(2) Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for the purpose of complying with points (c) and (e) of paragraph 1 by specifying more precisely specific processing requirements and other measures to ensure lawful and fair processing, including for other specific processing situations as referred to in Chapter IX.
(3) The legal basis for processing operations referred to in points (c) and (e) of paragraph 1 shall be:
(a) Union law; or
(b) Member State law to which the controller is subject.
The purpose of the processing must be specified in that legal basis or, with regard to processing referred to in point (e) of paragraph 1, be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of the rules of this Regulation, including provisions on the general conditions governing the lawfulness of processing by the controller, the types of data processed, the data subjects concerned, the entities to which and for which purposes the personal data may be disclosed, the purpose limitation, the storage period and the processing operations and procedures that may be used, including measures to ensure lawful and fair processing, such as those for other specific processing situations referred to in Chapter IX. Union or Member State law must pursue an objective in the public interest and be proportionate to the legitimate purpose pursued. The purpose of the processing must be specified in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, it must be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of the rules of this Regulation, inter alia, provisions on the general conditions governing the lawfulness of processing by the controller, the types of data processed, the data subjects concerned, the entities to which and for what purposes the personal data may be disclosed, the purpose limitation, the storage period and the processing operations and procedures that may be used, including measures to ensure lawful and fair processing, such as those for other specific processing situations referred to in Chapter IX of this Regulation. Union or Member State law must pursue an objective in the public interest and be proportionate to the legitimate aim pursued.
(4) Where processing for a purpose other than that for which the personal data were collected is not based on the data subject's consent or on a Union or Member State law which, in a democratic society, constitutes a necessary and proportionate measure to protect the objectives referred to in Article 23(1), the controller shall, in order to determine whether processing for another purpose is compatible with that for which the personal data were initially collected, take into account, inter alia,
a) any link between the purposes for which the personal data were collected and the purposes of the intended further processing;
b) the context in which the personal data were collected, in particular as regards the relationship between the data subjects and the controller;
c) the nature of the personal data, in particular whether special categories of personal data are processed pursuant to Article 9 or whether personal data relating to criminal convictions and offenses pursuant to Article 10 are processed;
d) the possible consequences of the intended further processing for the data subjects;
e) the Existence of appropriate safeguards, which may include encryption or pseudonymization.
[…]”
Recital 47 of the GDPR states with regard to the legal basis of Article 6(1)(f):
“(47) The lawfulness of processing may be justified by the legitimate interests pursued by a controller, including a controller to whom the personal data may be disclosed, or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject; in doing so, the reasonable expectations of data subjects based on their relationship with the controller shall be taken into account. A legitimate interest could, for example, exist where there is a relevant and appropriate relationship between the data subject and the controller, e.g., where the data subject is a customer of the controller or in its service. In any event, the existence of a legitimate interest would have to be assessed particularly carefully, including whether a data subject, at the time the personal data were collected and in light of the The circumstances in which it is carried out, the data subject can reasonably foresee that processing for that purpose may be required. In particular, when personal data are processed in situations where a data subject cannot reasonably expect further processing, the interests and fundamental rights of the data subject may override the interest of the controller. Since it is the responsibility of the legislator to establish the legal basis for the processing of personal data by public authorities by law, this legal basis should not apply to processing by public authorities carried out in the performance of their tasks. The processing of personal data to the extent strictly necessary to prevent fraud also constitutes a legitimate interest of the respective controller. The processing of personal data for direct marketing purposes may be considered to serve a legitimate interest.
Article 16
Right to rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Article 17
Right to erasure (“right to be forgotten”)
(1) The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall be obliged to erase personal data without undue delay where one of the following grounds applies:
a) The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
b) The data subject withdraws consent on which the processing is based according to point (a) of Article 6(1) or point (a) of Article 9(2), and there is no other legal ground for the processing.
c) The data subject objects to processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to processing pursuant to Article 21(2).
d) The personal data have been unlawfully processed.
e) The erasure of personal data is necessary to comply with a legal obligation under Union or Member State law to which the controller is subject.
f) The personal data were collected in relation to the offer of information society services pursuant to Article 8(1).
(2) Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take appropriate measures, including technical ones, to inform controllers which process the personal data that the data subject has requested the erasure by such controllers of all links to, or copies or replications of, those personal data.
(3) Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
(a) for the exercise of the right to freedom of expression and information;
b) to fulfill a legal obligation required by Union or Member State law to which the controller is subject or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller;
c) for reasons of public interest in the area of public health pursuant to points (h) and (i) of Article 9(2) and Article 9(3);
d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Article 89(1), insofar as the right referred to in paragraph 1 is likely to make impossible or seriously compromise the achievement of the objectives of that processing; or
e) for the establishment, exercise or defense of legal claims.
Article 18
Right to Restriction of Processing
(1) The data subject shall have the right to request the controller to restrict processing where one of the following applies:
a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject to establish, exercise or defend legal claims; or
d) the data subject has objected to processing pursuant to Article 21(1), pending the verification whether the legitimate grounds of the controller override those of the data subject.
(2) Where processing has been restricted pursuant to paragraph 1, such personal data, with the exception of storage, shall only be processed with the consent of the data subject or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
(3) A data subject who has obtained a restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction is lifted.
Article 21
Right to object
(1) The data subject shall have the right to object at any time to processing of personal data concerning him or her which is based on points (e) or (f) of Article 6(1), including profiling based on those provisions, for reasons related to his or her particular situation. The controller shall no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing serves to assert, exercise or defend legal claims.
(2) Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such marketing; this also applies to profiling insofar as it is related to such direct marketing.
(3) If the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for these purposes.
(4) The data subject must be expressly informed of the right referred to in paragraphs 1 and 2 at the latest at the time of the first communication with him or her; this information must be provided in an intelligible form and separate from other information.
(5) In connection with the use of information society services, the data subject may, notwithstanding Directive 2002/58/EC, exercise his or her right of objection by means of automated procedures using technical specifications.
(6) The data subject shall have the right to object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1), unless the processing is necessary to perform a task carried out in the public interest.
Article 22
Automated individual decision-making, including profiling
(1) The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
(2) Paragraph 1 shall not apply if the decision
a) is necessary for entering into, or the performance of, a contract between the data subject and the controller,
b) is authorized by Union or Member State law to which the controller is subject, and that law lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, or
c) is based on the data subject's explicit consent.
(3) In the cases referred to in points (a) and (c) of paragraph 2, the controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
(4) Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless points (a) or (g) of Article 9(2) apply and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests have been taken.
Recital 71:
"The data subject should have the right not to be subjected to a decision, which may include a measure evaluating personal aspects concerning him or her, which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as the automatic rejection of an online credit application or online recruitment process without any human intervention. Such processing includes profiling, which consists in any form of automated processing of personal data evaluating personal aspects relating to a natural person, in particular to analyze or predict aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements, insofar as it produces legal effects concerning the data subject or similarly significantly affects him or her. However, decision-making based on such processing, including profiling, should be permitted if explicitly permitted by Union or Member State law to which the controller is subject, including in order to In accordance with the rules, standards and recommendations of the [European] Union institutions or national supervisory bodies, to monitor and prevent fraud and tax evasion and to ensure the security and reliability of a service provided by the controller, or where necessary for the conclusion or performance of a contract between the data subject and a controller, or where the data subject has given his or her explicit consent. In any event, such processing should be subject to appropriate safeguards, including specific information for the data subject and the right to direct human intervention, to express his or her point of view, to an explanation of the decision taken following an assessment, and to contest the decision. This measure should not concern a child. In order to ensure fair and transparent processing for the data subject, taking into account the specific circumstances and context in which the personal data are processed, the controller should use appropriate mathematical or statistical techniques for profiling, implement technical and organisational measures appropriately ensuring, in particular, that factors leading to inaccurate personal data are corrected and the risk of errors is minimized, and personal data should be secured in a manner that takes into account the potential threats to the interests and rights of the data subject, and, inter alia, prevent discriminatory effects or processing that has such an effect on natural persons on the grounds of race, ethnic origin, political opinion, religion or belief, trade union membership, genetic predisposition or health status, or sexual orientation. Automated decision-making and profiling based on special categories of personal data should only be permitted under certain conditions."
Section 152 of the Trade Regulation Act 1994 (GewO 1994), Federal Law Gazette I No. 111/2002, reads, including the heading:
Credit Information Agencies – reads:
(1) Businesses authorized to operate credit information agencies are not authorized to provide information on private circumstances that are unrelated to creditworthiness.
(2) The business entities referred to in paragraph 1 are obligated to retain their business correspondence and business records for seven years. The seven-year period begins at the end of the calendar year in which the correspondence took place or the last entry was made in the business records. In the event of termination of the trade license, the correspondence and business records must be destroyed, even if the seven-year period has not yet expired. (2) The traders referred to in paragraph 1 are obligated to retain their business correspondence and business records for seven years. The seven-year period begins at the end of the calendar year in which the correspondence was exchanged or the last entry was made in the business records. In the event of termination of the trade license, the correspondence and business records must be destroyed, even if the seven-year period has not yet expired.
Section 256 of the Insolvency Code (Insolvency Code), Federal Law Gazette I No. 122/2017, reads, including the heading:
Section 256 of the Insolvency Code (Insolvency Code), Federal Law Gazette Part One, No. 122 of 2017, reads, including the heading:
Insolvency File
(1) The edict file shall contain the data that must be made public under this federal law (insolvency file).
(2) Access to the insolvency file shall no longer be granted if one year has passed since:
1. the termination of the insolvency proceedings pursuant to Sections 123a, 123b, and 139;
2. the expiration of the payment period stipulated in the restructuring plan if its compliance is not monitored;
3. the termination or discontinuation of monitoring of the restructuring plan;
4. the expiration of the payment period stipulated in the payment plan; or
5. the premature discontinuation or termination of the debt recovery proceedings.
(3) At the debtor's request, access to the insolvency file shall no longer be granted if the legally confirmed restructuring plan or payment plan has been complied with. The debtor must provide documentary evidence of compliance. The court may commission an expert to examine compliance, whose costs shall be borne by the debtor. The court shall decide on the inspection by means of a final order.
(4) Inspection of the entries in insolvency proceedings not opened due to a lack of assets to cover costs or due to lack of assets pursuant to Section 68 shall no longer be granted after three years from the date of entry. (4) Inspection of the entries in insolvency proceedings not opened due to a lack of assets to cover costs or due to lack of assets pursuant to Section 68 shall no longer be granted after three years from the date of entry.
II.3.1.2. The subject matter of the case was to examine whether the complainant, in the course of its commercial activity as a credit information agency (Section 152 of the Trade Regulation Act 1994) – as established by the authority concerned in the contested decision – violated the co-participating party's right to erasure pursuant to Article 17 of the GDPR by persistently storing credit-relevant information on the co-participating party in the creditworthiness database operated by it, the XXXX, specifically the two entries Roman II.3.1.2. The subject of the case was to examine whether the complainant, in the course of its commercial activity as a credit information agency (Section 152, Trade Regulation Act 1994) – as established by the authority in the contested decision – violated the co-participating party's right to erasure pursuant to Article 17 of the GDPR by continuously storing credit-relevant information on the co-participating party in the creditworthiness database it operated, specifically the two entries:
a) "Completion of out-of-court settlement XXXX" and,
b) XXXX score value "Score value 0: No calculation possible",
b) Roman 40 score value "Score value 0: No calculation possible",
and making it available to third parties upon request for the credit assessment of the co-participating party.
In the present context, it was particularly necessary to assess whether the legal assessments of the European Court of Justice in its judgment of December 7, 2023, in Joined Cases C-26/22 and C-64/22, as assumed by the respondent authority, could be applied to the present case. The cited ECJ ruling concerned the processing of information concerning discharge from residual debt following insolvency proceedings after fulfillment of a payment plan from a state-maintained insolvency file, comparable to Section 256 IO, by a private credit agency for commercial purposes beyond the point in time from which the corresponding information may no longer be published in the state insolvency file for insolvency law reasons. In the present context, it was particularly necessary to assess whether the legal assessments of the European Court of Justice in its judgment of December 7, 2023, in joined cases C-26/22 and C-64/22, as assumed by the respondent authority, are transferable to the present case. The cited ECJ ruling concerned the processing of information concerning a discharge of residual debt following insolvency proceedings following the fulfillment of a payment plan from a state-maintained insolvency file, comparable to Section 256 of the IO, by a private credit agency for commercial purposes beyond the point in time from which the corresponding information may no longer be published in the state insolvency file for insolvency law reasons.
II.3.1.3. It should first be noted that the processing of (credit-relevant) personal data in the context of the exercise of a trade pursuant to Section 152 of the Trade Regulation Act 1994 ("credit agencies"), as in the case of the co-participating party under consideration here and in the absence of consent from the data subject, can be based, from a data protection perspective, exclusively on the legal basis of Article 6(1)(f) GDPR. According to this provision, the processing of personal data is only lawful if the processing is necessary to protect the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject which require protection of personal data prevail, in particular if the data subject is a child (cf. ECJ, judgment of December 7, 2023, C-26/22, para. 74). Roman II.3.1.3. It should first be noted that the processing of (credit-relevant) personal data in the context of exercising the trade pursuant to Section 152 of the Trade Regulation Act 1994 (“credit reference agencies”), as in the case of the co-participating party under consideration here and in the absence of consent from the data subject, can be based, from a data protection perspective, exclusively on the permission provided for in Article 6, subparagraph 1, letter f, GDPR. According to this provision, the processing of personal data is only lawful if the processing is necessary to protect the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject which require protection of personal data prevail, in particular where the data subject is a child (see ECJ, judgment of 7 December 2023, C-26/22, para. 74).
II.3.1.4. Thus, the processing of personal data under this provision is lawful under three cumulative conditions: first, a legitimate interest must be pursued by the controller or by a third party; second, the processing of personal data must be necessary to achieve that legitimate interest; and third, the interests or fundamental rights and freedoms of the person whose data are to be protected must not prevail (cf. ECJ, judgment of 4 July 2023, C-252/21, para. 106 and the case law cited therein). Roman II.3.1.4. Thus, the processing of personal data under this provision is lawful under three cumulative conditions: first, a legitimate interest must be pursued by the controller or by a third party; second, the processing of the personal data must be necessary to achieve that legitimate interest; and third, the interests or fundamental rights and freedoms of the data subject must not prevail (see ECJ, judgment of July 4, 2023, C-252/21, para. 106 and the case law cited therein).
II.3.1.5. Article 5 (1) (c) GDPR enshrines the principle of "data minimization," which requires that personal data be "adequate, relevant, and limited to what is necessary for the purposes of the processing." Roman II.3.1.5. Article 5, paragraph 1, letter c, GDPR enshrines the principle of "data minimization," which requires that personal data be "adequate, relevant, and limited to what is necessary for the purposes for which they are processed."
Article 6, paragraph 1, letter f, GDPR requires three cumulative conditions for the permissibility of the processing of credit-relevant information on the complainant in the credit database of the co-participating party as a credit agency: First, the processing must be strictly necessary to protect the legitimate interests of the controller or a third party—in this context, these are economic interests in the business of the co-participating party itself or in obtaining information to assess the creditworthiness of potential borrowers. Second, the fundamental rights and freedoms of the data subject must not override these interests. Article 6, paragraph 1, letter f, GDPR requires three cumulative conditions for the permissibility of the processing of credit-relevant information on the complainant in the credit database of the co-participating party as a credit agency: First, the processing must be absolutely necessary to protect the legitimate interests of the controller or a third party, in this context, these are economic interests in the business of the co-participating party itself or in obtaining information to assess the creditworthiness of potential borrowers; second, the fundamental rights and freedoms of the data subject must not override these interests.
II.3.1.6. With regard to Article 6 (1) (f) GDPR, the European Court of Justice has ruled that this provision is to be interpreted as meaning that processing can only be regarded as necessary to safeguard the legitimate interests of the controller or of a third party within the meaning of this provision if this processing is carried out within the limits of what is strictly necessary to achieve this legitimate interest and if it emerges from a balancing of the opposing interests, taking into account all relevant circumstances, that the interests or fundamental rights and freedoms of the data subjects do not outweigh the legitimate interest of the controller or of a third party (see, in this sense, the judgments of the ECJ of 4 May 2017, C-13/16, and of 4 July 2023, C-252/21).Roman II.3.1.6. With regard to Article 6, paragraph 1, letter f, GDPR, the European Court of Justice has ruled that this provision is to be interpreted as meaning that processing can only be considered necessary to safeguard the legitimate interests of the controller or a third party within the meaning of this provision if such processing is carried out within the limits of what is strictly necessary to achieve that legitimate interest and if, after weighing the competing interests, taking into account all relevant circumstances, it emerges that the interests or fundamental rights and freedoms of the data subjects do not override the legitimate interests of the controller or a third party (see, in this sense, the judgments of the ECJ of May 4, 2017, C-13/16, and of July 4, 2023, C-252/21).
In the following, the legality of the processing of the payment experience data in question within the scope of the complainant's XXXX must be examined separately, in each case with reference to the information.
a) "Settlement of out-of-court settlement XXXX", or a) "Settlement of out-of-court settlement Roman 40", or
b) XXXX - score value "Score value 0: No calculation possible", b) Roman 40 - score value "Score value 0: No calculation possible",
a) On the entry of the out-of-court settlement regarding a loan
II.3.1.7. Regarding the processing of the information relating to the entry "Settlement of out-of-court settlement XXXX" and the related information by the complainant as a credit agency, the respondent authority – with reference to the judgment of the ECJ of December 7, 2023 in joined cases C-26/22 and C-64/22 [SCHUFA Holding AG] – takes the following legal view in summary: Roman II.3.1.7. Regarding the processing of the information relating to the entry "Settlement of out-of-court settlement Roman 40" and the related information by the complainant as a credit agency, the respondent authority – with reference to the judgment of the ECJ of December 7, 2023 in joined cases C-26/22 and C-64/22 [SCHUFA Holding AG] – takes the following legal view in summary:
The ECJ's assessment that the processing of data on insolvencies by a credit agency constitutes a serious interference with the rights guaranteed by Art.7 and 8 of the EU Charter of Fundamental Rights, especially since it is a negative factor in assessing the creditworthiness of the data subject and therefore sensitive information about his private life, and the processing is likely to significantly harm the interests of the data subject because it is likely to make the exercise of his freedoms, in particular with regard to the satisfaction of his basic needs, considerably more difficult, the same applies, in the view of the data protection authority, to the processing of other historical payment experience data due to the same effects. The national legislature has already weighed up these conflicting interests with regard to the duration of public inspection of the insolvency file and has accordingly stipulated in Section 256(2) and (3) IO that this data is generally publicly accessible for up to one year after the insolvency proceedings have been lifted; in the event of dismissal due to insufficient assets to cover costs or in the event of no assets pursuant to Section 256(4) leg. cit., three years thereafter. Furthermore, pursuant to Section 256(3) leg. cit. to no longer grant access to the insolvency file at the debtor's request once the legally confirmed restructuring or payment plan has been fulfilled. If these maximum deadlines already apply to data from the insolvency file relating to discharge of residual debt – and this appears to be the central concern of the authority concerned – this must apply all the more to other historical payment experience data processed by credit agencies, since there is no independent statutory time limit for these. In the present case, the matter was already settled on September 6, 2022, meaning that more than a year had already passed since the respondent informed the complainant that deletion could only take place after seven years, and almost two years had passed since the current decision. In the specific case, there are also no indications that would justify further processing of the data – such as a renewed payment default, which, when viewed in conjunction with the previous payment history data, could lead to a different picture of the complainant's payment behavior – and the information on the out-of-court settlement should therefore have been deleted beforehand, or at least after the complainant had requested it. The ECJ's assessment that the processing of data on insolvency by a credit agency constitutes a serious interference with the data subject's fundamental rights enshrined in Articles 7 and 8 of the EU Charter of Fundamental Rights, especially since it constitutes a negative factor in the assessment of the data subject's creditworthiness and thus sensitive information about their private life, and the processing is likely to significantly harm the data subject's interests because it is likely to make the exercise of their freedoms, in particular with regard to the satisfaction of their basic needs, significantly more difficult, must, in the view of the data protection authority, also apply to the processing of other historical payment history data due to the same effects. The national legislature has already weighed these conflicting interests with regard to the duration of public access to the insolvency file and accordingly stipulated in paragraph 256, paragraphs 2 and 3, IO that this data is generally publicly accessible for up to one year after the termination of the insolvency proceedings; if the proceedings are dismissed due to insufficient assets to cover costs or in the event of a lack of assets pursuant to paragraph 256, paragraph 4, leg. cit., three years thereafter. Furthermore, according to paragraph 256, paragraph 3, leg. cit., access to the insolvency file is no longer to be granted at the debtor's request once the legally confirmed restructuring or payment plan has been fulfilled. If – and this appears to be the central concern of the authority concerned – these maximum time limits already apply to data from the insolvency file relating to discharge of residual debt, whereby insolvency proceedings generally involve a bundle of outstanding, sometimes high, creditor claims, this must apply all the more to other historical payment experience data processed by credit agencies, since there is no independent statutory time limit regulation for these. In the present case, the matter was already settled on 6 September 2022, meaning that more than a year had already passed by the time the respondent informed the complainant that deletion could only take place after seven years, and almost two years had passed by the time the decision was made. In the specific case, there were also no indications that would justify further processing of the data – such as a renewed default in payment, which, when viewed in conjunction with previous payment history data, could lead to a different picture of the complainant's payment behavior – and the information on the out-of-court settlement should therefore have been deleted beforehand, or at least after the complainant had applied for it.
However, from the perspective of the Senate hearing the case, the legal opinion of the respondent authority could not be followed – based on the following considerations:
II.3.1.8. The ECJ judgment in Cases C-26/22 and C-64/22, referred to by the respondent authority, deals with the admissibility of the practice of credit reporting agencies storing data concerning a person's solvency from public registers such as the insolvency register and making it available to third parties for commercial purposes. Roman II.3.1.8. The ECJ judgment in Cases C-26/22 and C-64/22, cited by the respondent authority, concerns the permissibility of the practice of credit reporting agencies storing data concerning a person's solvency from public registers such as the insolvency register and making it available to third parties for commercial purposes.
In its judgment of December 7, 2023, C-26/22 and C-64/22, SCHUFA Holding (Residual Debt Discharge), the ECJ answered the essential questions in the preliminary ruling submitted by the Wiesbaden Administrative Court by holding that:
Article 5(1)(a) GDPR in conjunction with Article 6(1)(f) GDPR is to be interpreted as precluding a practice by "private credit reporting agencies" that consists in storing in their own databases information from a public register on the granting of residual debt discharge to natural persons for the purpose of providing information on their creditworthiness for a period that exceeds the storage period of the data in the public register. Therefore, the judgment is not relevant to the present case in all respects. - Article 5, paragraph 1, letter a, GDPR in conjunction with Article 6, paragraph 1, letter f, GDPR is to be interpreted as precluding a practice by "private credit agencies" which consists in storing in their own databases information from a public register on the granting of discharge of residual debt to natural persons for the purpose of providing information on the creditworthiness of those persons for a period exceeding the storage period of the data in the public register. However, the judgment is therefore not relevant to the present case in all respects.
II.3.1.9. The facts to be assessed by the ECJ were based on the practice of credit agencies of extracting information from state-maintained and publicly accessible insolvency registers and processing it for commercial purposes even when the information in question may no longer be publicly published via the state-maintained insolvency database on the basis of national law (comparable to Section 256 of the Insolvency Code). However, the facts of the case which formed the basis for the ECJ’s judgment in Cases C-26/22 and C-64/22 differ in essential elements from the facts which the Senate must assess in the present case. The authority hearing the case has overlooked the fact that the present case does not concern information which the complainant, in its capacity as a credit information agency, obtained from the public insolvency database and which is to be made available to third parties on a commercial basis – in order to protect creditors’ interests – beyond the periods for public publication regulated by Section 256 of the IO. Roman II.3.1.9. The facts of the case to be assessed by the ECJ were based on the practice of credit information agencies of obtaining information from state-maintained and publicly accessible insolvency registers and of processing it for commercial purposes even when the information in question may no longer be published publicly via the state-maintained insolvency database on the basis of national law (comparable to Section 256 of the IO). However, the facts underlying the ECJ's judgment in Cases C-26/22 and C-64/22 differ in essential elements from the facts to be assessed by the Senate in the present case. The authority hearing the case overlooks the fact that the present case does not concern information obtained by the complainant in its capacity as a credit information agency from the public insolvency database and intended to be made available to third parties on a commercial basis beyond the public publication periods stipulated in Section 256 of the IO – in order to safeguard creditor protection interests.
Rather, it is information about the out-of-court settlement between the co-participating party and a credit institution regarding a consumer credit agreement, which was not fulfilled by the consumer in accordance with the originally agreed repayment plan, but was settled by way of an out-of-court settlement and a contractually agreed discharge of residual debt. This information was never publicly accessible within the framework of a state-run insolvency database in the interest of creditor protection, but was known exclusively to the credit institution in question and subsequently made accessible only to a limited circle of people, namely the companies participating in the private credit database of the complainant (XXXX). Rather, it is information about the out-of-court settlement between the co-participating party and a credit institution regarding a consumer credit agreement, which was not fulfilled by the consumer in accordance with the originally agreed repayment plan, but was settled by way of an out-of-court settlement and a contractually agreed discharge of residual debt. This information was never publicly accessible within the framework of a state-run insolvency database in the interest of creditor protection, but known exclusively to the credit institution concerned and subsequently made accessible only to a limited public, namely the companies participating in the complainant's private creditworthiness database (Roman 40).
As a result, the ECJ's legal assessments regarding information that may no longer be publicly published via a public insolvency database for insolvency law reasons cannot be applied to the present case scenario – in accordance with the general conclusion advocated by the authority concerned. This is for the following reasons:
II.3.1.10. According to the view expressed by the ECJ in the judgment above, the processing of personal data such as that at issue in the main proceedings serves not only the economic interests of the [credit agency] but also the legitimate interest of the [credit agency's] contractual partners who wish to conclude credit-relevant contracts with individuals in assessing the creditworthiness of those individuals, and thus the socio-economic interests of the credit sector. As regards consumer credit agreements, it follows from Article 8 of Directive 2008/48, read in the light of recital 28 in the preamble thereto, that, before the credit agreement is concluded, the creditor is required to assess the consumer's creditworthiness on the basis of sufficient information, including, where necessary, information from public and private databases. Furthermore, as regards consumer credit agreements relating to residential immovable property, it follows from Articles 18(1) and 21(1) of Directive 2014/17, read in conjunction with recitals 55 and 59 in the preamble to that directive, that the creditor must carry out a thorough assessment of the consumer's creditworthiness and has access to credit databases, consultation of such databases being a useful element in that assessment. It should also be emphasized that the obligation to assess consumer creditworthiness, as provided for in Directives 2008/48 and 2014/17, is intended not only to protect the credit applicant but also, as emphasized in recital 26 of Directive 2008/48, to ensure the smooth functioning of the entire credit system (see ECJ, C-26/22 and C-64/22, paras. 83-86). It follows from this, first of all, that the ECJ grants the processing of creditworthiness-relevant data from public and private databases for the purpose of safeguarding the economic interests of a credit agency and the lending industry a legitimate interest within the meaning of Article 6(1)(f) GDPR in safeguarding creditor protection, provided that such processing is also necessary to achieve the aforementioned economic interests, whereby the verification of this necessity falls within the jurisdiction of the national court. Roman II.3.1.10. According to the view expressed by the ECJ in its judgment, the processing of personal data such as that at issue in the main proceedings serves, in addition to the economic interests of the [credit agency], the legitimate interest of the [credit agency's] contractual partners who wish to conclude credit-related contracts with individuals in assessing the creditworthiness of those individuals and, consequently, the socio-economic interests of the credit sector. With regard to consumer credit agreements, it follows from Article 8 of Directive 2008/48, read in the light of recital 28 in the preamble to that directive, that, before concluding the credit agreement, the creditor is required to assess the consumer's creditworthiness on the basis of sufficient information, including, where necessary, information from public and private databases. Furthermore, with regard to credit agreements for consumers relating to residential immovable property, it follows from Article 18(1) and Article 21(1) of Directive 2014/17, read in conjunction with recitals 55 and 59 of that directive, that the creditor must carry out a thorough assessment of the consumer's creditworthiness and has access to credit databases, with consultation of such databases being a useful element in that assessment. It should also be stressed that the obligation to assess consumers' creditworthiness, as provided for in Directives 2008/48 and 2014/17, is intended not only to protect the credit applicant but also, as recital 26 of Directive 2008/48 points out, to ensure the smooth functioning of the credit system as a whole (see ECJ, C-26/22 and C-64/22, paragraphs 83-86). It follows, first of all, that the ECJ recognizes a legitimate interest within the meaning of Article 6(1)(f) GDPR in the processing of credit-relevant data from public and private databases for the purpose of safeguarding the economic interests of a credit agency and the lending industry, provided that such processing is also necessary to achieve the aforementioned economic interests, whereby the assessment of this necessity falls within the jurisdiction of the national court.
II.3.1.11. With regard to the duration of data storage, the ECJ assumes in its judgment of December 7, 2023, that the examination of the requirements of necessity and proportionality overlap in that the assessment of whether, in the present case, the legitimate interests pursued by the processing of personal data at issue in the main proceedings cannot reasonably be achieved by a shorter period of data storage requires a balancing of the conflicting rights and interests. In weighing the legitimate interests pursued, the ECJ then finds that, insofar as it enables an objective and reliable assessment of the creditworthiness of the potential customers of the credit agency's contractual partners, the analysis carried out by a credit agency may compensate for discrepancies in information and thus reduce the risk of fraud and other uncertainties. However, as regards the rights and interests of the data subject, the ECJ considers that the processing of data relating to the granting of discharge from residual debt, such as the storage, analysis and transmission of that data to a third party, by a credit agency constitutes a serious interference with the fundamental rights of the data subject enshrined in Articles 7 and 8 of the Charter, since such information serves as a negative factor in the assessment of the data subject's creditworthiness. Consequently, its processing may seriously harm the interests of the data subject, since such transmission is likely to make the exercise of that data subject's freedoms significantly more difficult, in particular when it comes to meeting basic needs. In all of this, the ECJ considers the potential consequences for the interests and private life of the data subject to be greater and the requirements for the lawfulness of storing this information to be higher the longer the data in question are stored by credit reporting agencies (cf. ECJ, C-26/22 and C-64/22, paras. 92-95). Roman II.3.1.11. With regard to the duration of data storage, the ECJ assumes in its judgment of December 7, 2023, that the examination of the conditions of necessity and proportionality overlap in that the assessment of whether, in the present case, the legitimate interests pursued by the processing of personal data at issue in the main proceedings cannot reasonably be achieved by storing the data for a shorter period requires a balancing of the conflicting rights and interests. In weighing the legitimate interests pursued, the ECJ then finds that, insofar as it enables an objective and reliable assessment of the creditworthiness of the potential customers of the credit agency's contractual partners, the analysis carried out by a credit agency may compensate for discrepancies in information and thus reduce the risk of fraud and other uncertainties. However, as regards the rights and interests of the data subject, the ECJ considers that the processing of data relating to the granting of discharge from residual debt, such as the storage, analysis and transmission of that data to a third party, by a credit agency constitutes a serious interference with the fundamental rights of the data subject enshrined in Articles 7 and 8 of the Charter, since such information serves as a negative factor in the assessment of the data subject's creditworthiness. Consequently, its processing may seriously harm the data subject's interests, since such transmission is likely to make it significantly more difficult for the data subject to exercise his or her freedoms, in particular to meet basic needs. In all of this, the ECJ considers the potential consequences for the interests and private life of the data subject all the greater and the requirements regarding the lawfulness of the storage of this information all the higher the longer the data in question are stored by credit reference agencies (see ECJ, C-26/22 and C-64/22, paras. 92-95).II.3.1.12. The respondent authority appears to overlook the fact that the objective of a public insolvency register is to ensure better information for the affected creditors and courts, as the ECJ explicitly points out in its case law. Furthermore, with regard to the retention periods under German insolvency law, it then states that information on the granting of discharge from residual debt is only stored in the (German) insolvency register for six months. Therefore, it can be assumed that, after a period of six months, the rights and interests of the data subject outweigh those of the public in having access to this information (see again ECJ, C-26/22 and C-64/22, paras. 96 and 97). case law explicitly points this out and, with regard to the retention periods under German insolvency law, then states that information on the granting of discharge from residual debt is only stored in the (German) insolvency register for six months, which is why it can be assumed that after a period of six months, the rights and interests of the data subject outweigh those of the public in having access to this information (see again ECJ, C-26/22 and C-64/22, paras. 96 and 97).
II.3.1.13. In summary, from the perspective of the Senate hearing the case, it can be deduced from the ECJ judgment that in cases in which information on debt settlement proceedings was already publicly accessible in a state insolvency database in the interest of general creditor protection, from the point in time at which the respective national insolvency law no longer considers the public publication of the information in question to be necessary to safeguard creditor protection interests, private credit agencies may no longer process and disseminate it. Roman II.3.1.13. In summary, from the perspective of the Senate hearing the case, it can be deduced from the ECJ ruling that in cases where information on debt settlement proceedings was already publicly accessible in a state insolvency database in the interest of general creditor protection, private credit agencies may no longer process and disseminate such information from the point in time at which the respective national insolvency law no longer considers public publication of the information in question necessary to safeguard creditor protection interests.
II.3.1.14. As already explained, the information to be assessed in the present case concerning an out-of-court settlement between the co-participating party and a credit institution is not information on debt settlement proceedings that was publicly disclosed in a state insolvency database in the interest of creditor protection over a legally defined period. Roman II.3.1.14. As already explained, the information to be assessed in the present case concerning an out-of-court settlement between the co-participating party and a credit institution is not information relating to debt settlement proceedings that were made public via a state insolvency database in the interest of creditor protection over a legally defined period of time.
Rather, the entry to be examined here is credit-relevant information relating to a payment default relating to an individual consumer credit agreement, but not a debt settlement procedure resulting from insolvency. The information in question is accessible exclusively to a limited public, namely those authorized to access XXXX , namely banks, lending insurance companies, and leasing companies based in the European internal market, via a private credit database upon their request. Without the provision of the payment history data in question for the co-participating party within the complainant's private creditworthiness database, there would be discrepancies in information on the part of companies in the lending sector, which would often limit the ability of the institutions concerned to conduct a detailed creditworthiness assessment (Section 7 of the Credit Rating Act) within the meaning of Directive 2008/48/EC [future Directive (EU) 2023/2225], taking historical payment history data into account. Rather, the entry to be examined here is credit-relevant information on a payment default with regard to an individual consumer credit agreement, and not a debt settlement procedure resulting from insolvency; the information in question is accessible exclusively to a limited public, namely those authorized to access the Roman 40 database, which exclusively includes banks, lending insurance companies, and leasing companies based in the European internal market, via a private creditworthiness database upon their request. Without the provision of the payment history data in question regarding the co-participating party within the complainant's private creditworthiness database, information discrepancies would arise on the part of companies in the lending sector, which would often limit the ability of the institutions concerned to conduct a thorough creditworthiness assessment (Section 7, VKrG) within the meaning of the requirements of Directive 2008/48/EC [future Directive (EU) 2023/2225], taking into account historical payment history data.
The processing of the payment history data regarding the co-participating party, which is to be assessed here, concerning the settlement of a credit obligation by means of an out-of-court settlement and partial waiver of claims from XXXX cannot therefore be considered inadmissible from the time of the settlement with XXXX, in view of the interests of creditors to be protected and the existing duty to examine potential lenders. This must apply all the more if those authorized to access XXXX are exclusively institutions subject to the provisions of Regulation (EU) No. 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No. 646/2012 ("Capital Requirements Regulation") (cf. Administrative Court of Justice, February 1, 2024, Ro 2020/04/0031, para. 35). Therefore, the processing of payment history data on the co-participating party regarding the settlement of a credit obligation by means of an out-of-court settlement and partial waiver of claims under Roman 40, which is to be assessed here, cannot be considered inadmissible from the time of fulfillment of this settlement with Roman 40, in view of the interests of creditors to be protected and the existing audit obligations of potential lenders. This must apply all the more if those authorized to access the Roman 40 are exclusively institutions subject to the provisions of Regulation (EU) No. 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No. 646/2012 ("Capital Requirements Regulation") (see Administrative Court of Justice, 1 February 2024, Ro 2020/04/0031, para. 35).
Rather, in the view of the Senate hearing the case, a balancing of interests must be carried out within the framework of an individual case assessment and an examination must be carried out to determine how long storage in the XXXX is permissible in order to safeguard the interests of credit protection if, as established by the complainant as a credit agency, this private credit database is made accessible exclusively to banks, lending insurance companies, and leasing companies domiciled in the European internal market for the purpose of credit assessments in connection with credit transactions. Rather, in the view of the Senate hearing the case, a balancing of interests must be carried out within the framework of an individual case assessment and an examination must be carried out to determine how long storage in the Roman 40 is permissible in order to safeguard the interests of credit protection if, as established by the complainant as a credit agency, this private credit database is made accessible exclusively to banks, lending insurance companies, and leasing companies domiciled in the European internal market for the purpose of credit assessments in connection with credit transactions.
II.3.1.15. In the opinion of the Senate hearing the case, the (still) relevant case law of the highest and administrative courts regarding the storage period with regard to historical payment experience data is relevant in the present context. The interest of participants in accessing the information on past payment behavior (XXXX, which is provided commercially by the complainant exclusively to banks, lending insurance companies, and leasing companies based in the European internal market) lies in a better assessment of their credit risk and thus in avoiding payment delays and defaults. Data on historical insolvencies and payment defaults are essential for predicting the future payment behavior of a (potential) debtor, although the longer they date back and the longer there has been no further payment delays or defaults, the less meaningful they are.When assessing the permissible storage period, the age of the claim or the time at which the final default on the claim was established and the subsequent "good conduct" of the debtor are therefore of crucial importance. The amount of default in insolvency proceedings is also essential for assessing the creditworthiness of a (potential) debtor and the risk of a claim and must therefore be taken into account when balancing interests (cf. OGH, December 19, 2023, para. 19). Roman II.3.1.15. In the opinion of the Senate, the (still) relevant case law of the supreme and administrative courts on the storage period with regard to historical payment experience data is relevant in the present context. The interest of participants in having access to the Roman 40 (only banks, lending insurance companies and leasing companies based in the European internal market have access to the Roman 40 provided commercially by the complainant) in information on past payment behavior lies in a better assessment of their credit risk and thus in avoiding payment delays and defaults. Data on historical insolvencies and payment defaults are essential for predicting the future payment behavior of a (potential) debtor, although the longer they date back and the longer there have been no further payment delays or defaults, the less meaningful they are. In the context of the balancing of interests to be carried out for the assessment of the permissible storage period, the age of the claim or the point in time at which the final default on the claim was established and the subsequent "good conduct" of the debtor are therefore of crucial importance. The amount of default in insolvency proceedings is also essential for assessing the creditworthiness of a (potential) debtor and the risk of a claim, and must therefore be taken into account when balancing interests (see Supreme Court, December 19, 2023, para. 19).
As a guideline for how long creditworthiness data is suitable for assessing the creditworthiness of a (potential) debtor, observation or deletion periods in legal provisions that serve to protect creditors or specify the requirements for a suitable credit assessment can be used.
In this context, particular reference should be made to Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 646/2012 (Capital Requirements Regulation), which requires credit institutions, among other things, to rate their customers and assess various risks associated with their exposures. For credit or retail exposures to natural persons, credit institutions that are permitted to calculate their risk-weighted exposure amounts using an approach based on internal ratings (Article 143(1) of the Act), must estimate the probability of default (PD) of the exposure, among other things, using long-term averages of the annual default rate, in accordance with Article 151(6) in conjunction with Article 180(2)(a) and (e) of the Act. A historical observation period of at least five years must be used for at least one data source, which can also be external. The estimate of the loss given default (LGD) to be carried out must also generally refer to a period of at least five years in accordance with Article 151(7) in conjunction with Article 181(2)(c) of the Capital Requirements Regulation (CIT). In this context, particular reference should be made to Regulation (EU) No. 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No. 646/2012 (Capital Requirements Regulation), which requires credit institutions, among other things, to rate their customers and estimate various risks associated with their exposures. For credit or retail exposures to natural persons, credit institutions that are permitted to calculate their risk-weighted exposure amounts using an internal assessment-based approach (Article 143, paragraph 1, leg cit) must, in accordance with Article 151, paragraph 6, in conjunction with Article 180, paragraph 2, letters a and e, leg cit, estimate the probability of default (PD) of the exposure, among other things, using long-term averages of the annual default rate. This must be based on a historical observation period of at least five years for at least one data source, which may also be external. The estimate of the loss given default (LGD) to be carried out must also, in principle, cover a period of at least five years, in accordance with Article 151, paragraph 7, in conjunction with Article 181, paragraph 2, letter c, leg cit.
II.3.1.16. On the balancing of interests in detail: Roman II.3.1.16. Regarding the balancing of interests in detail:
The economic interests of the controllers and their business partners in the processing of the co-participating party's information under review here were weighed against the co-participating party's interests, fundamental rights, and freedoms as follows:
The information stored by the complainant in the context of the XXXX relates to an installment loan in the amount of €15,000 granted in XXXX 2015, with the original term contractually set at 84 months, meaning that the entire loan amount should have been repaid to the bank by XXXX. In January 2017, as a result of a job loss, the co-participating party entered into an amended installment payment agreement with the bank to reduce the monthly payment burden and subsequently adhered to the new installment agreement until 2019. Due to compound interest, the loan balance nevertheless increased, which is why the co-participating party entered into a new installment agreement with the bank in 2019, consisting of 36 monthly installments of €200 each, with simultaneous discharge of residual debt. The final payment plan therefore ended in XXXX, which is why the settlement was fulfilled significantly less than three years ago at the time of the decision. This means that a possible observation period with regard to the payment behavior of the co-participating party extends to significantly less than five years, as has been established since no further payment defaults occurred. The information stored by the complainant in the context of the Roman 40 relating to the proceedings concerns an instalment loan of €15,000 granted with Roman 40 in 2015, whereby the original term was contractually set at 84 months, meaning that the entire loan amount should have been repaid to the bank with Roman 40. In January 2017, the co-participating party entered into a modified installment agreement with the bank regarding the loan as a result of a job loss, reducing the monthly payment burden, and then adhered to the new installment agreement until 2019. Due to compound interest, the loan balance nevertheless increased, which is why the co-participating party entered into a new installment agreement with the bank in 2019, consisting of 36 monthly installments of €200 each, with simultaneous discharge of residual debt. The final payment plan thus ended in Roman 40, which is why the settlement agreement was fulfilled significantly less than three years ago at the time of the decision. Thus, a possible observation period with regard to the co-participating party's payment behavior extends to significantly less than five years, as no further payment defaults have occurred in the meantime.
As a result, the processing of the information relating to the out-of-court settlement settled with XXXX within the creditworthiness database (XXXX) operated by the complainant as a credit agency is still to be regarded as necessary at the time of the decision, as the complainant only makes the information in question available to those authorized to access XXXX, and these are exclusively banks, lending insurance companies and leasing companies based in the European internal market, whereby these companies in the lending industry are obliged under EU law to assess the creditworthiness of potential borrowers, including on the basis of historical payment experience data. As the group of the latter companies is subject to the requirements of Regulation (EU) No. 575/2013, the information in question can be processed for up to five years from the fulfillment of the payment plan within the framework of XXXX on the basis of the authorization pursuant to Art. 6 (1) (f) GDPR. In the specific case, this does not conflict with the overriding interests (in the economic advancement) of the co-participating party. As established, the co-participating party was able to conclude two leasing agreements in the meantime, despite the entry regarding the out-of-court settlement from 2019 in the XXXX, which is why an excessive impairment of the co-participating party's financial progress could not be assumed. The fact that another credit institution refused to grant a consumer loan must be assessed separately, since, in the opinion of the deciding Senate, this refusal was primarily due to the information regarding an uncalculable scoring value, which will be discussed below. As a result, the processing of the information relating to the out-of-court settlement fulfilled with Roman 40 within the creditworthiness database (Roman 40) operated by the complainant as a credit agency is still considered necessary at the time of the decision, as the complainant only makes the information in question available to those authorized to access Roman 40, and these are exclusively banks, lending insurance companies and leasing companies based in the European internal market. These companies in the lending industry are obliged under EU law to assess the creditworthiness of potential borrowers, including on the basis of historical payment experience data. Since the group of the latter companies is subject to the requirements of Regulation (EU) No. 575/2013, the information in question can be processed for up to five years from the fulfillment of the payment plan within the framework of Roman 40 on the basis of the authorization pursuant to Article 6, paragraph 1, letter f, GDPR. In the specific case, this does not conflict with the overriding interests (in the economic advancement) of the co-participating party. As established, the co-participating party was able to conclude two leasing agreements in the meantime, despite the entry regarding the out-of-court settlement from 2019 in Roman 40, which is why an excessive impairment of the co-participating party's economic progress could not be assumed. The fact that another credit institution refused to grant a consumer loan must be assessed separately, since, in the opinion of the deciding Senate, this refusal was primarily due to the information regarding an uncalculable scoring value, which will be discussed below.
b) For processing the entry XXXX - score value "Score value 0: No calculation possible": b) For processing the entry Roman 40 - score value "Score value 0: No calculation possible":
II.3.1.17. On the question of the existence of an automated decision within the meaning of Art. 22 (1) GDPR Roman II.3.1.17. On the question of the existence of an automated decision within the meaning of Article 22(1) GDPR
In its judgment of 7 December 2023, C 634/21, SCHUFA Holding [Scoring], the ECJ answered the question referred for a preliminary ruling under Article 267 TFEU, submitted by the Administrative Court of Wiesbaden (Germany) by order of 1 October 2021, concerning the interpretation of Article 22(1) GDPR as follows:
"40 By its first question, the referring court essentially asks whether Article 22(1) GDPR is to be interpreted as meaning that an ‘automated individual decision’ within the meaning of that provision exists where a probability value based on personal data relating to a person regarding that person’s ability to meet future payment obligations is automatically generated by a credit reference agency, provided that this probability value decisively determines whether a third party to whom this probability value is transmitted establishes, performs, or terminates a contractual relationship with that person. 40 By its first question, the referring court essentially asks whether Article 22(1) GDPR is to be interpreted as meaning that an ‘automated individual decision’ within the meaning of that provision exists where a probability value based on personal data relating to a person regarding that person’s ability to meet future payment obligations is automatically generated by a credit reference agency, provided that this probability value decisively determines whether a third party to whom this probability value is transmitted establishes, performs, or terminates a contractual relationship with that person.
41 In order to answer this question, it should first be noted that that, in interpreting a provision of Union law, account must be taken not only of its wording but also of its context and the purposes and objectives pursued by the legal act of which it is part (judgment of 22 June 2023, Pankki S, C‑579/21, EU:C:2023:501, paragraph 38 and the case-law cited).
42 As regards the wording of Article 22(1) GDPR, this provision provides that a data subject has the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.42 As regards the wording of Article 22(1) GDPR, this provision provides that a data subject has the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects the data subject.
43 The applicability of this provision therefore depends on three cumulative conditions, namely, first, that a ‘decision’ must exist; second, that this decision must be ‘based exclusively on automated processing, including profiling’; and third, that it must ‘produce legal effects concerning the data subject’ or ‘similarly significantly affect the data subject’.
44 As regards, first, the condition relating to the existence of a decision, it should be noted that the term ‘decision’ within the meaning of Article 22(1) GDPR is not defined in that Regulation. However, it is clear from the very wording of that provision that this term refers not only to acts that produce legal effects concerning the data subject, but also to acts that similarly significantly affect that person.44 As regards, first, the condition relating to the existence of a decision, it should be noted that the term ‘decision’ within the meaning of Article 22(1) GDPR is not defined in this Regulation. However, it is clear from the very wording of this provision that this term refers not only to acts that produce legal effects concerning the data subject, but also to acts that similarly significantly affect that person.
45 The broad meaning of the term ‘decision’ is confirmed by Recital 71 of the GDPR, which states that a decision evaluating personal aspects concerning a person ‘may involve a measure’ that either ‘produces legal effects concerning the data subject’ or ‘similarly significantly affects him or her’, and that the data subject should have the right not to be subject to such a decision. According to this Recital, the term ‘decision’ includes, for example, the automatic rejection of an online credit application or online recruitment procedures without any human intervention.
46 Since the term ‘decision’ within the meaning of Article 22(1) GDPR thus, as the Advocate General in point 38 of his Opinion, may encompass several acts that may affect the data subject in a variety of ways, this concept is broad enough to include the result of calculating a person’s ability to meet future payment obligations in the form of a probability value.46 Since the concept of ‘decision’ within the meaning of Article 22(1) GDPR may thus, as the Advocate General stated in point 38 of his Opinion, encompass several acts that may affect the data subject in a variety of ways, this concept is broad enough to include the result of calculating a person’s ability to meet future payment obligations in the form of a probability value.
47 Second, as regards the requirement that the decision within the meaning of Article 22(1) GDPR must be ‘based exclusively on automated processing, including profiling’, it is clear, as the Advocate General stated in point 33 of his Opinion, that an activity such as that of SCHUFA falls within the definition of 'profiling' in Article 4(4) GDPR and that this requirement is therefore met in the present case; moreover, the wording of the first question referred expressly refers to the automated creation of a probability value based on personal data relating to a person regarding that person's ability to service a loan in the future.47 Secondly, as regards the requirement that the decision within the meaning of Article 22(1) GDPR must be 'based exclusively on automated processing, including profiling', it is clear, as the Advocate General stated in point 33 of his Opinion, that an activity such as that of SCHUFA corresponds to the definition of 'profiling' in Article 4(4) GDPR and that this requirement is therefore met in the present case; moreover, the wording of the first question referred expressly refers to the automated creation of a probability value based on personal data relating to a person regarding that person's ability to service a loan in the future.
48 Thirdly, as regards the requirement that the decision must be communicated to the data subject 'legal effect' or 'similarly significantly' affect the data subject, it is already clear from the content of the first question referred that the actions of the third party to whom the probability value is communicated are 'significantly' guided by that value. Thus, according to the referring court's findings of fact, in the case of a credit application submitted by a consumer to a bank, an insufficient probability value will in almost all cases lead the bank to refuse to grant the requested credit.
49 Consequently, it must be assumed that the third condition on which the application of Article 22(1) GDPR depends is also met, since a probability value such as that at issue in the main proceedings at least significantly affects the data subject.
50 Therefore, in circumstances such as those in the main proceedings, in which the probability value determined by a credit agency and communicated to a bank plays a decisive role in the granting of a loan, the determination of that value must be classified as such as a decision which ‘produces legal effects or similarly significantly affects’ a data subject within the meaning of Article 22(1) GDPR.50 Therefore, in circumstances such as those in the main proceedings, in which the probability value determined by a credit agency and communicated to a bank plays a decisive role in the granting of a loan, the determination of that value must be classified as such as a decision which ‘produces legal effects or similarly significantly affects’ a data subject within the meaning of Article 22(1) GDPR.
51 This interpretation is supported by the context of Article 22(1) GDPR and the purposes and objectives pursued by that Regulation.
52 In this regard, it should be noted that, as the Advocate General stated in point 31 of his Opinion, Article 22(1) GDPR confers on the data subject the "right" not to be subject to a decision based solely on automated processing, including profiling. This provision establishes a general prohibition, the violation of which does not need to be individually relied upon by such a person.52 In this regard, it should be noted that, as the Advocate General stated in point 31 of his Opinion, Article 22(1) GDPR grants the data subject the ‘right’ not to be subject to a decision based solely on automated processing, including profiling. This provision establishes a general prohibition, the violation of which does not need to be individually relied upon by such a person.
53 As follows from Article 22(2) GDPR, read in conjunction with Recital 71 of that Regulation, the adoption of a decision based solely on automated processing is permissible only in the cases referred to in Article 22(2), i.e. i.e., if it is necessary for entering into or performing a contract between the data subject and the controller (letter a), if it is permitted by Union or Member State law to which the controller is subject (letter b), or if it is based on the data subject's explicit consent (letter c).53 As follows from Article 22(2) GDPR in conjunction with Recital 71 of that Regulation, the adoption of a decision based solely on automated processing is only permissible in the cases referred to in Article 22(2), i.e., if it is necessary for entering into or performing a contract between the data subject and the controller (letter a), if it is permitted by Union or Member State law to which the controller is subject (letter b), or if it is based on the data subject's explicit consent (letter c).
54 Furthermore, Article 22(2)(b) and (3) GDPR stipulates that appropriate measures must be put in place to safeguard the rights and freedoms and legitimate interests of the data subject. In the cases referred to in Article 22(2)(a) and (c) of this Regulation, the controller shall grant the data subject at least the right to obtain human intervention, to express his or her point of view, and to contest the decision. 54 Furthermore, Article 22(2)(b) and (3) GDPR stipulates that appropriate measures must be put in place to safeguard the rights and freedoms and legitimate interests of the data subject. In the cases referred to in Article 22(2)(a) and (c) of this Regulation, the controller shall grant the data subject at least the right to obtain human intervention, to express his or her point of view, and to contest the decision.
55 Furthermore, according to Article 22(4) GDPR, automated individual decisions within the meaning of Article 22 may only be based on special categories of personal data pursuant to Article 9(1) of this Regulation in certain specific cases. 55 Furthermore, according to Article 22(4) GDPR, automated individual decisions within the meaning of Article 22 may only be based on special categories of personal data pursuant to Article 9(1) of this Regulation in certain specific cases.
56 Furthermore, in the case of automated decision-making such as that within the meaning of Article 22(1) GDPR, the controller is subject to additional information obligations pursuant to Article 13(2)(f) and Article 14(2)(g) of this Regulation. Secondly, pursuant to Article 15(1)(h) GDPR, the data subject has a right of access to the data controller, which in particular concerns 'meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject'.56 Furthermore, in the case of automated decision-making such as that within the meaning of Article 22(1) GDPR, the controller is subject to additional information obligations pursuant to Article 13(2)(f) and Article 14(2)(g) of this Regulation. Secondly, pursuant to Article 15(1)(h) GDPR, the data subject has a right of access to the data controller, which in particular concerns 'meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject'.
57 These higher requirements regarding the lawfulness of automated decision-making, as well as the additional information obligations of the controller and the associated additional rights of access of the data subject, are explained by the purpose pursued by Article 22 of the GDPR, which is to protect individuals from the specific risks to their rights and freedoms associated with the automated processing of personal data, including profiling. 57 These higher requirements regarding the lawfulness of automated decision-making, as well as the additional information obligations of the controller and the associated additional rights of access of the data subject, are explained by the purpose pursued by Article 22 of the GDPR, which is to protect individuals from the specific risks to their rights and freedoms associated with the automated processing of personal data, including profiling.
58 As is clear from Recital 71 of the GDPR, this processing requires the evaluation of personal aspects relating to the natural person concerned, in particular to analyse or predict aspects concerning their performance at work, economic situation, health, preferences or interests, reliability or behaviour, location or movements.
59 According to this recital, these specific risks are likely to adversely affect the interests and rights of the data subject, in particular with regard to possible discriminatory effects against natural persons based on racial or ethnic origin, political opinions, religion or beliefs, trade union membership, genetic predisposition or health status, or sexual orientation. Therefore, according to this recital, fair and transparent processing should be ensured for the data subject, in particular through the use of appropriate mathematical or statistical techniques for profiling and through technical and organizational measures designed to ensure that the risk of errors is minimized.
60 The interpretation set out in paragraphs 42 to 50 of this judgment, and in particular the broad meaning of the term 'decision' within the meaning of Article 22(1) GDPR, reinforces the effective protection sought by that provision. 60 The interpretation set out in paragraphs 42 to 50 of this judgment, and in particular the broad meaning of the term 'decision' within the meaning of Article 22(1) GDPR, reinforces the effective protection sought by that provision.
61 On the other hand, in circumstances such as those in the main proceedings, involving three actors, there would be a risk of circumvention of Article 22 of the GDPR and, consequently, a gap in legal protection if preference were given to a narrow interpretation of that provision, according to which the determination of the probability value is to be regarded only as a preparatory act and only the act taken by the third party can, where appropriate, be classified as a 'decision' within the meaning of Article 22(1) of that Regulation.61 On the other hand, in circumstances such as those in the main proceedings, involving three actors, there would be a risk of circumvention of Article 22 of the GDPR and, consequently, a gap in legal protection if preference were given to a narrow interpretation of that provision, according to which the determination of the probability value is to be regarded only as a preparatory act and only the act taken by the third party can, where appropriate, be classified as a 'decision' within the meaning of Article 22(1) of that Regulation.
62 In such a case, the determination of a probability value such as that at issue in the main proceedings would not be subject to the specific requirements of Article 22(2) to (4) of the GDPR, even though that procedure is based on automated processing and produces effects which significantly affect the data subject, since the actions of the third party to whom that probability value is communicated are decisively guided by that third party.62 In such a case, the determination of a probability value such as that at issue in the main proceedings would not be subject to the specific requirements of Article 22(2) to (4) of the GDPR, even though that procedure is based on automated processing and produces effects which significantly affect the data subject, since the actions of the third party to whom that probability value is communicated are decisively guided by that third party.
63 Furthermore, as the Advocate General stated in point 48 of his Opinion, the data subject could not, first, exercise his right to access the specific information referred to in Article 15(1)(h) GDPR from the credit agency that determines the probability score concerning him if there is no automated decision-making by that agency. Second, assuming that the act carried out by that third party falls within Article 22(1) GDPR, since it meets the conditions for the application of that provision, the third party would not be able to provide that specific information because, in general, he does not have it.63 Furthermore, as the Advocate General stated in point 48 of his Opinion, the data subject could not, first, exercise his right to access the specific information referred to in Article 15(1)(h) GDPR from the credit agency that determines the probability score concerning him if there is no automated decision-making by that agency. Secondly, assuming that the action taken by the third party falls within Article 22(1) of the GDPR because it meets the conditions for the application of that provision, the third party would not be able to provide this specific information because it generally does not have it. 64 The fact that the determination of a probability value such as that at issue in the main proceedings is covered by Article 22(1) of the GDPR has the consequence, as explained in paragraphs 53 to 55 of the present judgment, that it is prohibited unless one of the exceptions provided for in Article 22(2) of the GDPR applies and the specific requirements of Article 22(3) and (4) of the GDPR are met. 64 The fact that the determination of a probability value such as that at issue in the main proceedings is covered by Article 22(1) of the GDPR has the consequence, as explained in paragraphs 53 to 55 of the present judgment, that it is prohibited unless one of the exceptions provided for in Article 22(2) of the GDPR applies and the specific requirements of Article 22(3) and (4) of the GDPR are met.
65 As regards, in particular, Article 22(2)(b) of the GDPR, to which the referring court refers, it is clear from the very wording of that provision that national legislation permitting the adoption of an automated decision in individual cases must contain appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject.65 As regards, in particular, Article 22(2)(b) of the GDPR, to which the referring court refers, it is clear from the very wording of that provision that national legislation permitting the adoption of an automated decision in individual cases must contain appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject.
66 In the light of Recital 71 of the GDPR, such measures must include, in particular, the obligation on the controller to use appropriate mathematical or statistical procedures, to implement technical and organizational measures appropriate to ensure that the risk of errors is minimized and corrected, and to secure personal data in a manner that takes into account the potential threats to the interests and rights of the data subject, and in particular to prevent discriminatory effects against him or her. These measures must also include, at least, the right of the data subject to obtain human intervention on the part of the controller, to express his or her point of view, and to contest the decision taken against him or her.
67 It should also be noted that, according to settled case-law of the Court, any processing of personal data must comply with the principles applicable to the processing of personal data laid down in Article 5 of the GDPR and, in view of the principle of lawfulness of processing provided for in Article 5(1)(a), satisfy one of the conditions for lawfulness of processing set out in Article 6 of that regulation (judgment of 20 October 2022, Digi, C‑77/21, EU:C:2022:805, paragraph 49 and the case-law cited). The controller must be able to demonstrate compliance with those principles in accordance with the principle of accountability laid down in Article 5(2) of the GDPR (see, to that effect, judgment of 20 October 2022, Digi, C‑77/21, EU:C:2022:805, paragraph 24).67 It should also be noted that, according to settled case-law of the Court of Justice, any processing of personal data must comply with the principles governing the processing of personal data laid down in Article 5 of the GDPR and, in view of the principle of lawfulness of processing provided for in Article 5(1)(a), must satisfy one of the conditions for lawfulness of processing set out in Article 6 of that Regulation (judgment of 20 October 2022, Digi, C‑77/21, EU:C:2022:805, paragraph 49 and the case-law cited). The controller must be able to demonstrate compliance with these principles in accordance with the principle of accountability laid down in Article 5(2) of the GDPR (see, to that effect, judgment of 20 October 2022, Digi, C‑77/21, EU:C:2022:805, paragraph 24).
68 If the law of a Member State permits the adoption of a decision based solely on automated processing pursuant to Article 22(2)(b) of the GDPR, that processing must therefore meet not only the conditions laid down in that latter provision and in Article 22(4) of the GDPR, but also the requirements set out in Articles 5 and 6 of that Regulation. Consequently, Member States may not adopt legislation pursuant to Article 22(2)(b) GDPR that permits profiling in violation of the requirements of Articles 5 and 6, as interpreted by the case law of the Court of Justice.68 If the law of a Member State permits the adoption of a decision based solely on automated processing pursuant to Article 22(2)(b) GDPR, such processing must therefore meet not only the conditions laid down in the latter provision and in Article 22(4) GDPR, but also the requirements set out in Articles 5 and 6 of this Regulation. Consequently, Member States may not adopt legislation pursuant to Article 22(2)(b) GDPR that permits profiling in violation of the requirements of Articles 5 and 6, as interpreted by the case law of the Court of Justice.
69 As regards, in particular, the conditions of lawfulness provided for in Article 6(1)(a), (b) and (f) of the GDPR, which may apply in a case such as that in the main proceedings, Member States are not empowered to lay down additional rules for the application of those conditions, since such a power is limited, under Article 6(3) of the GDPR, to the grounds referred to in Article 6(1)(c) and (e) of that Regulation. 69 As regards, in particular, the conditions of lawfulness provided for in Article 6(1)(a), (b) and (f) of the GDPR, which may apply in a case such as that in the main proceedings, Member States are not empowered to lay down additional rules for the application of those conditions, since such a power is limited, under Article 6(3) of the GDPR, to the grounds referred to in Article 6(1)(c) and (e) of that Regulation.
70 Furthermore, with regard to Article 6(1)(f) GDPR in detail, Member States may not, pursuant to Article 22(2)(b) GDPR, deviate from the requirements arising from the Court’s case-law following the judgment of 7 December 2023, SCHUFA Holding (Restschuldbefreiung) (C‑26/22 and C‑64/22, EU:C:2023:XXX), in particular by definitively prescribing the outcome of the balancing of the opposing rights and interests (see, to that effect, judgment of 19 October 2016, Breyer, C‑582/14, EU:C:2016:779, paragraph 62). 70 Furthermore, with regard to Article 6(1)(f) GDPR in detail, Member States may not, pursuant to Article 22(2)(b) GDPR, deviate from the requirements arising from the The Court's case-law following the judgment of 7 December 2023, SCHUFA Holding (Restschuldbefreiung) (C‑26/22 and C‑64/22, EU:C:2023:XXX) does not, in particular, prescribe the outcome of the balancing of the opposing rights and interests (see, to that effect, judgment of 19 October 2016, Breyer, C‑582/14, EU:C:2016:779, paragraph 62).
71 In the present case, the referring court points out that only Section 31 of the Federal Data Protection Act (BDSG) could constitute a national legal basis within the meaning of Article 22(2)(b) of the GDPR. However, the referring court has serious concerns regarding the compatibility of Section 31 of the Federal Data Protection Act (BDSG) with EU law. If this provision were deemed incompatible with Union law, SCHUFA would not only be acting without a legal basis, but would ipso jure be infringing the prohibition set out in Article 22(1) GDPR.71 In the present case, the referring court points out that only Paragraph 31 of the Federal Data Protection Act (BDSG) could constitute a national legal basis within the meaning of Article 22(2)(b) GDPR. However, this court has serious concerns regarding the compatibility of Paragraph 31 of the Federal Data Protection Act (BDSG) with Union law. If this provision were deemed incompatible with Union law, SCHUFA would not only be acting without a legal basis, but would ipso jure be infringing the prohibition set out in Article 22(1) GDPR.
72 In this respect, it is for the referring court to examine whether Section 31 of the Federal Data Protection Act (BDSG) can be qualified as a legal basis within the meaning of Article 22(2)(b) of the GDPR, which would allow the adoption of a decision based exclusively on automated processing. Should the referring court conclude that Section 31 constitutes such a legal basis, it would still have to examine whether the requirements set out in Article 22(2)(b) and (4) of the GDPR and in Articles 5 and 6 of the GDPR are met in the present case. 72 In this respect, it is for the referring court to examine whether Section 31 of the Federal Data Protection Act (BDSG) can be qualified as a legal basis within the meaning of Article 22(2)(b) of the GDPR, which would allow the adoption of a decision based exclusively on automated processing. Should the referring court conclude that paragraph 31 constitutes such a legal basis, it would still have to examine whether the requirements set out in Article 22(2)(b) and (4) GDPR and in Articles 5 and 6 GDPR are met in the present case.
73 In view of the foregoing, the answer to the first question is that Article 22(1) GDPR is to be interpreted as meaning that an ‘automated individual decision’ within the meaning of that provision exists where a probability value based on personal data relating to a person regarding that person’s ability to meet future payment obligations is automatically generated by a credit reference agency, provided that the decisive factor is whether a third party to whom that probability value is transmitted establishes, performs, or terminates a contractual relationship with that person. 73 In view of the foregoing, the answer to the first question is that Article 22(1) GDPR is to be interpreted as meaning that an ‘automated individual decision’ within the meaning of that provision exists where a probability value based on personal data relating to a person regarding that person’s ability to meet future payment obligations is automatically generated by a credit reference agency, provided that the decisive factor is whether a third party to whom that probability value is transmitted establishes, performs, or terminates a contractual relationship with that person.
According to the statements in the cited ECJ judgment, automated data processing such as profiling itself constitutes an "automated individual decision" within the meaning of Article 22 (1) GDPR if the result of this automated processing is decisive for a specific further decision insofar as the third party's actions are "significantly guided" by the profiling in question and thus significantly affect the data subject (cf. the statements of the ECJ in the judgment of December 7, 2023, C-634/21, paras. 48 and 73). According to the statements in the cited ECJ judgment, automated data processing such as profiling itself constitutes an "automated individual decision" within the meaning of Article 22 (1) GDPR if the result of this automated processing is decisive for a specific further decision insofar as the third party's actions are "significantly guided" by the profiling in question and thus significantly affect the data subject (cf. the statements of the ECJ in the judgment of December 7, 2023, C-634/21, paras. 48 and 73).
Furthermore, in paragraph 61 of the judgment in question, the ECJ stated that in circumstances such as those in the main proceedings, involving three actors, there would be a risk of circumvention of Article 22 GDPR and, consequently, a gap in legal protection if preference were given to a narrow interpretation of that provision, according to which the determination of the probability value would be regarded only as a preparatory act and only the act taken by the third party could, if appropriate, be classified as a "decision" within the meaning of Article 22(1) of that regulation. In its decision, the Court held that, in circumstances such as those in the main proceedings, involving three actors, there is a risk of circumvention of Article 22 of the GDPR and, consequently, a gap in legal protection if a narrow interpretation of that provision were to be preferred, according to which the determination of the probability value would only be regarded as a preparatory act and only the act taken by the third party could, where appropriate, be classified as a "decision" within the meaning of Article 22(1) of that regulation.
As the ECJ finally states in paragraph 67 of its judgment, referring to its settled case law, any processing of personal data must comply with the principles governing the processing of personal data laid down in Article 5 of the GDPR and, in view of the principle of lawfulness of processing provided for in Article 5(1)(a), must meet one of the conditions for lawfulness of processing set out in Article 6 of that regulation. As the Court of Justice stated in its judgment, referring to its settled case law, any processing of personal data must comply with the principles governing the processing of personal data laid down in Article 5 of the GDPR and, in view of the principle of lawfulness of processing provided for in Article 5(1)(a), meet one of the conditions for lawfulness of processing set out in Article 6 of that Regulation.
If the law of a Member State permits the adoption of a decision based solely on automated processing pursuant to Article 22(2)(b) of the GDPR, such processing must therefore meet not only the conditions laid down in that provision and in Article 22(4) of the GDPR, but also the requirements of Articles 5 and 6 of that Regulation. Consequently, Member States may not adopt legislation pursuant to Article 22(2)(b) GDPR that permits profiling in violation of the requirements of Articles 5 and 6, as interpreted by the Court's case law (see paragraph 68 of the judgment). If the law of a Member State permits the adoption of a decision based solely on automated processing pursuant to Article 22(2)(b) GDPR, the ECJ further stated that such processing must therefore meet not only the conditions set out in the latter provision and in Article 22(4) GDPR, but also the requirements set out in Articles 5 and 6 of this Regulation. Consequently, Member States may not adopt legislation pursuant to Article 22(2)(b) GDPR that permits profiling in violation of the requirements of Articles 5 and 6, as interpreted by the Court's case law (see paragraph 68 of the judgment).
II.3.1.18. From all of the above, it follows in the specific case that the complainant's argument that it could not calculate a scoring value with regard to the co-participating party because the past event of an out-of-court settlement including waiver of the claim could not be represented within the framework of the calculation method used by the complainant to determine the scoring value, which was therefore simply marked "0 - calculation not possible" and passed on to third parties, had to be rejected in light of the above-mentioned decision of the ECJ of 7 December 2023, C 634/21. Roman II.3.1.18. From all of the above, it follows in the specific case that the complainant's argument that it was unable to calculate a scoring value with respect to the co-participating party because the past event of an out-of-court settlement, including the waiver of the claim, could not be represented within the framework of the calculation method used by the complainant to determine the scoring value, and the score was therefore simply marked "0 - calculation not possible" and passed on to third parties, had to be rejected in light of the above-mentioned decision of the ECJ of December 7, 2023, C 634/21.
II.3.1.19. Rather, the complainant, as a credit agency, automatically generated a probability value based on personal data regarding the co-participating party's ability to meet future payment obligations, even if the result was "0 - calculation not possible," but was made available in this form to a credit institution by accessing the XXXX. This information was precisely the decisive criterion for the bank in question refusing to grant the co-participating party a loan agreement. This follows clearly and unambiguously from the bank's rejection letter, which states the following as justification for the rejection: "Unfortunately, we are unable to make you an offer because XXXX cannot provide us with a scoring value. This is due to technical problems with XXXX." The fact that the institution in question explicitly refers the co-participating party directly to the complainant as the credit agency for "further inquiries" in the same letter further underscores the fact that the bank in question does not itself significantly question the value "0 - calculation not possible" provided by the complainant, but would only be willing to make a different credit decision if this entry were to be changed by the complainant as the credit agency. Against this background, the complainant's statement that, following the ECJ's decision of December 7, 2023, Case C-634/21, it had pointed out to XXXX that, in addition to the scoring value provided by the credit agency, further criteria must be taken into account when making a credit decision does not change anything, as the present case clearly and unambiguously shows that it was precisely this result - even if it cannot be represented numerically in the complainant's system - that had a decisive influence on the negative credit decision.roman II.3.1.19. Rather, the complainant, as a credit agency, automatically created a probability value based on personal data with regard to the ability of the co-participating party to meet future payment obligations, even if the result was “0 – calculation not possible,” but was made available to a credit institution in this form by accessing the roman 40. This information was in fact the decisive criterion for the co-participating party being refused a credit agreement by the bank in question. This follows clearly and unambiguously from the bank’s rejection letter, which states the following as justification for the rejection: “Unfortunately, we are unable to make you an offer because the roman 40 cannot provide us with a scoring value. The reason for this is technical problems with the roman 40.” If the institution in question explicitly refers the co-participating party directly to the complainant as the credit agency for "further inquiries on this matter" in the same letter, this further underscores the fact that the bank in question does not itself significantly question the value "0 - calculation not possible" provided by the complainant, but would only be willing to make a different lending decision if this entry were changed by the complainant as the credit agency. Against this background, the complainant's statement that, following the ECJ decision of December 7, 2023, C-634/21, it was pointed out to Roman 40 that, in addition to the scoring value provided by the credit agency, further criteria must be considered when making a credit granting decision does not change anything. The present case clearly and unambiguously demonstrates that this result – even if it cannot be represented numerically in the complainant's system – had a significant influence on the negative credit granting decision.
Even the circumstance raised by the complainant, according to which, in cases such as the present one, in which an instalment loan was settled by way of an out-of-court settlement, a scoring value cannot be represented in the form of a numerical score for the duration of the storage of the relevant information within XXXX due to the logical design of the calculation formula, cannot change the legal classification within the meaning of the ECJ's case law on Art. 22 (1) GDPR. The decisive factor is not how the result of a scoring procedure can or cannot be presented; rather, what is decisive is whether the result – even if it is "0 - calculation not possible" – is interpreted by the respective recipient as having sufficiently negative connotations, which is undoubtedly the case in this case. In the present case, the determination of the "credit score" of the data subject, which ultimately was decisive for the refusal to conclude a contract with a credit institution, was thus to be classified as a decision that "produces legal effects or similarly significantly affects" a data subject within the meaning of Art. 22 (1) GDPR (cf. the broad meaning of the term "decision" in ECJ, C-634/21, paras. 45 et seq.). Even the circumstance raised by the complainant, according to which, in cases such as the present one, in which an instalment loan was settled by way of an out-of-court settlement, a scoring value cannot be represented in the form of a numerical score for the duration of the storage of the relevant information within the Roman 40, due to the logical design of the calculation formula, cannot change the legal classification within the meaning of the ECJ's case law on Article 22 (1) GDPR. The decisive factor is not how the result of a scoring procedure can or cannot be presented; rather, what matters is whether the result – even if it is "0 – calculation not possible" – is interpreted as having sufficiently negative connotations by the respective recipient, which is undoubtedly the case in this case. In the present case, the determination of the "credit score" for the data subject, which ultimately was decisive for the refusal to conclude a contract with a credit institution, was thus to be classified as a decision that "produces legal effects or similarly significantly affects" a data subject within the meaning of Article 22, paragraph 1, GDPR (see the broad meaning of the term "decision" in ECJ, C-634/21, paras. 45 et seq.).
The fact that the final decision on the granting of a consumer loan lies within the respective decision-making structure of the bank – and thus not within the complainant as a credit agency – cannot prevent the legal qualification of the information, according to which a calculation of a scoring value is not possible, as an automated decision within the meaning of Art. 22 (1) GDPR; Finally, the ECJ's ruling is based precisely on the fact that the potential lender ultimately decides on the question of the conclusion of the credit agreement in question (see, on all this, Administrative Court of Justice, December 21, 2023, Ro 2021/04/0010, para. 80). The fact that the final decision on the granting of a consumer loan lies within the respective decision-making structure of the bank – and thus not within the complainant as a credit agency – cannot prevent the legal qualification of the information stating that a scoring value cannot be calculated as an automated decision within the meaning of Article 22, paragraph 1, GDPR; Finally, the ECJ's ruling is based precisely on the fact that the potential lender ultimately decides on the question of whether the loan agreement in question has been concluded (see VwGH, December 21, 2023, Ro 2021/04/0010, para. 80).
II.3.1.20. It was therefore necessary to examine whether one of the exceptions under Article 22 (2) GDPR applies in the present case: Roman II.3.1.20. It was therefore necessary to examine whether one of the exceptions under Article 22(2) GDPR applies in the present case:
As regards the requirements of Article 22(2) GDPR, it cannot be said in this specific case that the decision was necessary for the conclusion or performance of a contract between the data subject, i.e., the co-involved party, and the controller, i.e., the complainant, within the meaning of Article 22(1)(a) GDPR. Furthermore, there are no legal bases in national law that contain "appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject," as required by Article 22(1)(b) GDPR. In this context, it should be expressly noted that Section 152 of the Trade Regulation Act 1994 does not constitute such a legal basis. In this case, with regard to the automated decision-making process at hand within the meaning of Art. 22 (1) GDPR, there is also no (explicit) consent from the co-participating party within the meaning of Art. 22 (1) (c) GDPR. Regarding the requirements of Article 22 (2) GDPR, it cannot be said in this specific case that the decision was necessary for the conclusion or performance of a contract between the data subject, i.e., the co-participating party, and the controller, i.e., the complainant, within the meaning of Article 22 (1) (a) GDPR. Furthermore, there are no legal bases in national law that contain "appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject," as required by Article 22 (1) (b) GDPR. In this context, it should be expressly noted that Section 152 of the Trade Regulation Act 1994 does not constitute such a legal basis. In this case, with regard to the automated decision-making process within the meaning of Article 22, paragraph 1, GDPR, there is also no (express) consent from the participating party within the meaning of Article 22, paragraph 1, letter c, GDPR.
Overall, it was therefore concluded that in the present case, a probability value based on personal data regarding the ability of the co-participating party to fulfil future payment obligations was automatically generated by a credit agency, namely the complainant as the data controller within the meaning of Art. 4 (7) GDPR, and the probability value calculated here decisively determined whether third parties (here: a credit institution) would establish, implement or terminate a contractual relationship with this person. However, the legal requirements for this were not met due to the lack of an exception pursuant to Art. 22 (2) GDPR. Overall, it was therefore concluded that in the present case, a probability value based on personal data regarding the ability of the co-participating party to fulfil future payment obligations was automatically generated by a credit agency, namely the complainant as the data controller within the meaning of Article 4 (7) GDPR, and the probability value calculated here decisively determined whether third parties (here: a credit institution) establishes, performs or terminates a contractual relationship with this person, but the legal requirements for this were not met due to the lack of an exception under Article 22, paragraph 2, GDPR.
In addition, the above-mentioned decision of the Court of Justice of the European Union shows that, in the case of profiling, the controller is subject to further information obligations under Article 13 (2) (f) and Article 14 (2) (g) GDPR, but has not complied with these in the present case.
In addition, the above-mentioned decision of the Court of Justice of the European Union shows that, in the case of profiling, the controller is subject to further information obligations under Article 13 (2) (f) and Article 14 (2) (g) GDPR, but has not complied with these in the present case. Specifically, the aforementioned provisions of the GDPR stipulate that, in addition to the information pursuant to paragraph 1, leg. cit., the controller must provide the data subject with information regarding the existence of automated decision-making, including profiling, pursuant to Article 22 (1) and (4) GDPR at the time the data is collected, and – at least in these cases – with meaningful information about the logic involved, as well as the significance and intended effects of such processing for the data subject. Specifically, the aforementioned provisions of the GDPR stipulate that, in addition to the information pursuant to paragraph 1, leg. cit., the controller must provide the data subject with information regarding the existence of automated decision-making, including profiling, pursuant to Article 22 (1) and (4) GDPR at the time the data is collected, and – at least in these cases – with meaningful information about the logic involved, as well as the significance and intended effects of such processing for the data subject.
However, the complainant did not adequately inform its contractual partners, i.e., those companies that inquired about the creditworthiness of the co-participating party – measured against the requirements outlined above – that automated decision-making, including profiling, was taking place pursuant to Art. 22 (1) and (4), but that the co-participating party's "credit score" was determined as "0 - calculation not possible" solely on the basis of the information regarding the out-of-court settlement of XXXX. The co-participating party was therefore not given sufficient opportunity to present its position as a data subject to data protection law to a company inquiring about the creditworthiness. This would require that it be sufficiently clear from the credit report that the credit score contained therein was not calculated based on various payment history data, but that a numerical assessment was not possible due to the calculation formula used, or that this circumstance does not necessarily indicate a negative rating. However, the complainant did not adequately inform its contractual partners, i.e., those companies that inquired about the creditworthiness of the co-participating party – measured against the requirements outlined above – that automated decision-making, including profiling, was taking place pursuant to Article 22, paragraph 1 and paragraph 4. However, the co-participating party's "credit score" was determined as "0 – calculation not possible" solely on the basis of the information regarding the out-of-court settlement of Roman 40. The co-participating party was thus not given sufficient opportunity to present its position as a data subject to data protection law to a company inquiring about the creditworthiness. This would require that it be sufficiently clear from the credit report that the credit score contained therein was not calculated based on various payment history data, but that a numerical assessment was not possible due to the calculation formula used, or that this circumstance does not necessarily indicate a negative rating.
Result: Overall, the deciding Senate therefore comes to the same conclusion as the competent authority, apart from the fact that in the present case there was already no exception under Article 22 (2) GDPR. The complainant, as the data controller, violated the principles of "lawfulness" and "good faith" within the meaning of Article 5 (1) (a) GDPR when processing personal data to create probability statements ("credit score") regarding the creditworthiness of the data subject. The entry in question must therefore be deleted pursuant to Article 17 (1) (d) in conjunction with Article 22 (1) GDPR. Result: Overall, the deciding Senate therefore comes to the same conclusion as the competent authority, apart from the fact that in the present case there was already no exception under Article 22 (2) GDPR. The complainant, as the data controller, violated the principles of "lawfulness" and "fairness" within the meaning of Article 5, paragraph 1, letter a, GDPR when processing personal data to create probabilistic statements ("credit score") regarding the data subject's creditworthiness. The entry in question must therefore be deleted pursuant to Article 17, paragraph 1, letter d, in conjunction with Article 22, paragraph 1, GDPR.
This case-specific finding does not mean that the calculation and provision of a scoring value by a credit agency, if this value is presented as a numerical value based on credit-relevant information for the purpose of clarity, is generally impermissible. Rather, such a procedure can be used in the interest of a concise presentation of a potential borrower's creditworthiness within the framework of the obligation to assess the creditworthiness of consumers – but not as a decisive influence within the meaning of the ECJ in its decision on C-634/21 (para. 73). Overall, it must in any case be ensured that the criteria established by the ECJ in its judgment of December 7, 2023, C-634/21 in connection with Art. 22 (1) GDPR are taken into account. This case-specific result does not mean that the calculation and provision of a scoring value by a credit agency is generally inadmissible if this value is presented as a numerical value based on credit-relevant information for the purpose of clarity. Rather, such a procedure can be used in the interest of a concise presentation of the creditworthiness of a potential borrower within the framework of the obligation to assess the creditworthiness of consumers – but not as a decisive influence within the meaning of the ECJ in its judgment in Case C-634/21 (para. 73). Overall, it must be ensured that the criteria established by the ECJ in its judgment of December 7, 2023, Case C-634/21 in connection with Article 22, paragraph 1, GDPR are taken into account.
II.3.2. On point B) of the ruling – Inadmissibility of the appeal on points of law: Roman II.3.2. On point B) of the ruling – Inadmissibility of the appeal on points of law:
According to Section 25a (1) of the Administrative Court Act (VwGG), the administrative court must state in its judgment or decision whether the appeal on points of law is admissible pursuant to Article 133 (4) of the Federal Constitutional Constitution Act (B-VG). The ruling must be briefly justified. According to Section 25a, Paragraph 1, of the Administrative Court Act (VwGG), the administrative court must state in its ruling or decision whether the appeal is admissible pursuant to Article 133, Paragraph 4, of the Federal Constitutional Court Act. The ruling must be briefly justified.
The appeal is inadmissible pursuant to Article 133, Paragraph 4, of the Federal Constitutional Court Act because the decision does not depend on the resolution of a legal question as defined by Article 133, Paragraph 4, of the Federal Constitutional Court Act.
Instead, the Federal Administrative Court was able to rely on the case law of the European Court of Justice and the Higher Administrative Court to the extent outlined above when resolving the relevant legal issues.
Specifically, as explained in detail, the ECJ judgment of December 7, 2023, C-26/22 and C-64/22 [SCHUFA Holding AG] was not relevant to the present case in accordance with the legal opinion advocated by the authority concerned, as it explicitly addressed the further processing of data from a state insolvency file, but not individual payment experience data on out-of-court settlements that had never been publicly published in the interest of creditor protection.
In contrast, the ECJ judgment of December 7, 2023, C-634/21, SCHUFA Holding [Scoring], and the subsequent decision of the Administrative Court of December 21, 2023, Ro 2021/04/0010, were relevant to the question of the existence of automated decision-making within the meaning of Art. 22 GDPR. In contrast, the question of whether automated decision-making within the meaning of Article 22 GDPR was based on the judgment of the ECJ of December 7, 2023, C-634/21, SCHUFA Holding [Scoring], and the subsequent decision of the Administrative Court of December 21, 2023, Ro 2021/04/0010.
The decision had to be made in accordance with the judgment.
