Skip to main content

Recent decisions of the Austrian Data Protection Authority (3/3)


This article presents the third out of three interesting decisions on Austrian data protection law, in particular dealing with confirmation of the remedial measures taken during a consultation pursuant to Art 36 GDPR, the right to deletion pursuant to Art 17 GDPR and an evaluation of a data controller.

3. Credit information agency as the data controller for the credit rating carried out – Case no. D123.688/03-DSB/2018

In the decision of 13 May 2019 the Austrian data protection authority had to deal, as part of its decision , with the question of whether a credit agency should be qualified as data controller for the credit assessment it had carried out. The subject of the procedure is an alleged violation of the right to information. In addition to several violations alleged by the complainant, which were essentially limited to incomplete information, it was claimed that the respondent, who operates a credit agency, had not provided any further details with regard to the logic involved and the scope and intended effects of the credit assessment carried out on the complainant. In summary, the respondent responded that the decision on the conclusion of a legal transaction or on the form in which the legal transaction was concluded was taken exclusively by the company querying the respondent.

In this regard, the data protection authority stated that the respondent processes personal data for the purpose of exercising its trade in accordance with § 152 GewO 1994 (Austrian Trade Regulation Act - credit agencies on credit relationships) and that, on the basis of statistical probability, a mathematical value is calculated on the basis of certain parameters which reflects the probability of non-payment. The fact that companies have the option of incorporating the weighting or other parameters (such as their own payment experience with the end customer/individual concerned) into the logic does not harm this. In the sense of the above considerations, the respondent cannot be understood as a processor, since the data are not only processed on behalf of the respective customer, but a processing is carried out independently of it within the scope of the exercise of the trade according to §152 GewO 1994 and the "score formula" - i.e. which concrete information with personal reference is combined with each other in which concrete way in order to calculate a certain creditworthiness - is determined by the respondent itself. In the opinion of the data protection authority, this is an independent decision-making process for the respondent, since the respondent is engaged in the above-mentioned business in order to bring calculated creditworthiness data into commercial circulation and, according to general life experience, this can be associated with considerable impairments in commercial life.

If an end customer who obtains the creditworthiness information makes a certain decision on the basis of the calculated creditworthiness - for example, by taking the creditworthiness result as the basis for his economic decision without questioning it - this is a second independent decision-making process for the end customer. As a result, the performance mandate was to be issued to the respondent, to provide the respondent with meaningful information about the logic involved as well as the scope and desired effects of the credit assessment concerning the complainant. The decision is not final.


Article provided by: Hon.-Prof. Dr. Clemens Thiele, LL.M. (EUROLAWYER, Austria)

Previous article: 2. No right to deletion from a doctor search and assessment portal - Case no. D123.527/0004-DSB/2018

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.