Austrian Court Rules Against Credit Agency for GDPR Data Transparency Failures
An Austrian court has ruled against a credit information agency for failing to provide adequate transparency about its data processing activities and automated decision processes. The decision, handed down on May 28, 2025, follows a complaint filed in 2018 and involves the agency associated with Deutsche Bank after their 2021 merger.
The Austrian Federal Administrative Court determined that the agency violated the General Data Protection Regulation (GDPR) in two key areas. Firstly, it failed to provide sufficiently specific information about processing purposes under Article 15(1)(a) GDPR. The court found that general statements such as 'providing credit information' and 'providing marketing information' were insufficient for compliance verification.
Secondly, the court ruled that the agency breached Article 15(1)(h) GDPR regarding automated decision transparency. The agency denied the existence of automated decision processes and did not explain the logic involved in automated score calculation. This ruling aligns with the February 27, 2025 CJEU ruling in case C-203/22, which established that automated generation of creditworthiness scores constitutes automated decision-making under Article 22 GDPR when these scores significantly influence third-party contract decisions.
The court ordered the agency to provide compliant information within four weeks, detailing specific processing purposes and the logic behind automated decision processes. It also found that the agency processed data from various sources like address publishers and direct marketing companies but did not clearly indicate which specific data served which purposes.
The Austrian court's decision serves as a reminder for data controllers to ensure transparency in their data processing activities and automated decision processes. The credit agency, associated with Deutsche Bank, must now comply with the court's order to avoid execution proceedings. This ruling sets a precedent for similar cases, emphasizing the importance of GDPR compliance in the credit industry.
