BVwG - W292 2248672-1
From GDPRhub
| BVwG - W292 2248672-1 | |
|---|---|
 | |
| Court: | BVwG (Austria) |
| Jurisdiction: | Austria |
| Relevant Law: | Article 5(1)(a) GDPR Article 13(2)(f) GDPR Article 14(2)(g) GDPR Article 22 GDPR |
| Decided: | 23.04.2024 |
| Published: | 28.06.2024 |
| Parties: | |
| National Case Number/Name: | W292 2248672-1 |
| European Case Law Identifier: | |
| Appeal from: | Datenschutzbehörde D124.3813 / 2021-0.516.280 |
| Appeal to: | |
| Original Language(s): | German |
| Original Source: | RIS (in German) |
| Initial Contributor: | ec |
The Federal Administrative Court held that a credit score calculated by a credit reference agency falls under automatic decision-making. The court further held that a credit reference agency is obliged to provide the data subject with the reasons for the credit score.
English Summary
Facts
The data subject wanted to enter into an energy supply contract with an energy supplier in 2020, but received a letter back on 1 October 2020 from the energy supplier that this was not possible due to an insufficient credit check. This credit check was done by a credit reference agency (the controller).
On 7 October 2020, the data subject submitted an access request under Article 15 GDPR to the controller.
On 8 October 2020, the controller provided the data subject with the personal data it had of the data subject, including their name and address. It also stated that the energy supplier had made a credit inquiry to the controller about the data subject on 1 October 2020.
On 7 January 2021, the data subject requested the controller to properly comply with its obligation to provide access.
On 13 January 2021, the controller replied that there was no right to access under Article 15 with regard to the origin of the risk values and the parameters and methods that were used to calculate a risk value as those were seen as business secrets of the controller.
On 17 March 2021, the data subject lodged a complaint against the controller at the Austrian DPA (“Datenschutzbehörde -DSB“).
The controller argued to the DPA that there was no automated decision-making within the meaning of Article 22 GDPR and that there was therefore no right of access under Article 15 GDPR. It furthermore provided the DPA that it calculated on the basis of the parameters “qualified payment defaults (debt collection entries, insolvency, etc.) age, and place of residence”. Regarding the data subject, the controller sent a “medium” credit score to the energy supplier. No negative payment history data was available in the controller’s system to determine the creditworthiness score of the data subject. The controller stated it collected data from publicly available sources, data from address publishers and information on payment experience provided by corporate customers and debt collection partners.
The DPA upheld the complaint and found that the controller violated Article 5(1)(a) GDPR, Article 13(2)(f) GDPR, Article 14(2)(g) GDPR. Article 15(1)(h) GDPR and Article 22 GDPR. The DPA further ordered the controller to comply with the access request of the data subject within eight weeks.
The controller appealed the DPA’s decision at the Federal Administrative Court (“Bundesverwaltungsgericht - BVwG“).
Holding
The court dismissed the controller’s argument that a violation of Article 5(1)(a) GDPR could not be made the subject of a complaint under Section 24 Austrian FADP and Article 77 GDPR. The court held that a data subject can base a violation of rights on any provision of the GDPR, provided that the processing of personal data in violation of the GDPR also leads to a violation of the legal position of the data subject. The court also took into account the CJEU judgement (C-33/22), in which is it clear that a complaint under Article 77(1) GDPR does not need to be based on a violation of rights, but on a violation of data processing in the GDPR.
Regarding the question whether assessing the data subject’s creditworthiness falls under automatic decision-making under Article 22 GDPR, the court took into account the CJEU judgement C-634/21 OQ / Land Hessen. The CJEU held that “the automated establishment, by a credit information agency, of a probability value based on personal data relating to a person and concerning his or her ability to meet payment commitments in the future constitutes ‘automated individual decision-making’ [under Article 22(1) GDPR], where a third party, to which that probability value is transmitted, draws strongly on that probability value to establish, implement or terminate a contractual relationship with that person.” (See para 73).
The court therefore dismissed the controller’s argument that it does not carry out automated decision-making under Article 22 GDPR, as the probability value that the controller provided to the energy supplier was the decisive criterion for the energy supplier’s refusal to conclude an energy supply contract with the data subject. Moreover, the court held that the fact that the decision led to the data subject not concluding an energy supply contract was a decision that “produces legal effects concerning a data subject or similarly significantly affects a data subject” within the meaning of Article 22(1) GDPR.
The court dismissed the controller’s argument that it only calculated the credit score but that any further decision is made by their contractual partners, and thus the controller does not anticipate that a decision is based on the calculation of the credit score. In the same CJEU judgement, the CJEU explicitly state that here would be a risk of circumvention of Article 22 GDPR and consequently a legal protection gap if the calculation of the credit score is only seen as a preparatory act and not a decision.
The court held that no exceptions under Article 22(2) GDPR applied to the creation of the credit score by the controller and thus was unlawful.
The court further elaborated that the controller is subject to further information obligations under Article 13(2)(f) GDPR and Article 14(2)(g) GDPR, but did not comply. The court held that no information was provided about the logic involved or the scope and intended effects of such processing for the data subject.
Therefore, the court agreed with the DPA that the controller also violated the principles of “lawfulness” and “fairness” under Article 5(1)(a) GDPR.
The court agreed with the findings of the DPA that the controller did not comply with the data subject’s access request under Article 15 GDPR. The court took into account the same CJEU’s judgement which held that the data subject has a right of access to the “meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject” (para 56). The court found that the data subject could not verify the lawfulness of the data processing with the information given by the controller as it did not include the specific information on the origin of the credit score attributed to it. The court held that the information provided must be so comprehensive that the data subject can understand the reasons for the scoring value of the credit score. This court held that the term “logic involved”is to be understood in such a way that only the principle on which such a calculation is based must be described, but not the specific calculation formula.
Regarding the controller’s argument that this information was to be classified as a trade secret, the court held that although under Section 4(6), the right to information is generally excluded if it would jeopardize a business or trade secret, this right is not an absolute right to refusal of information. Therefore, the controller must carefully weigh up in each individual case the extent to which specific part of information would affect a business or trade secret. Although the specific calculation formula of the controller is a business secret, the data subject can still be provided with further information on how this credit score was calculated without disclosing business secrets. The court agreed with the DPA that by providing information on the calculation of the credit core, this would not result in a competitive disadvantage for the controller compared to market competitors, especially since all of them are subject to the GDPR.
Therefore, the court held that the controller violated Article 15(1)(h) GDPR by not providing the data subject with sufficient information. The court thus concluded that the DPA was right in ordering the controller to provide the data subject with the relevant information within a deadline of eight weeks.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Decision date
April 23, 2024
Standard
B-VG Art133 Para. 4
DSG §1
DSG §24
DSGVO Art12
DSGVO Art13
DSGVO Art14
DSGVO Art15
DSGVO Art15 Para. 1 lit
DSGVO Art22
DSGVO Art4
DSGVO Art5
DSGVO Art5 Para. 1 lita
DSGVO Art58 Para. 2 litc
DSGVO Art6
DSGVO Art6 Para. 1 litf
GewO 1994 §152
B-VG Art. 133 today B-VG Art. 133 valid from January 1, 2019 to May 24, 2018 last amended by BGBl. I No. 138/2017 B-VG Art. 133 valid from January 1, 2019 last amended by BGBl. I No. 22/2018 B-VG Art. 133 valid from 25.05.2018 to 31.12.2018 last amended by BGBl. I No. 22/2018 B-VG Art. 133 valid from 01.08.2014 to 24.05.2018 last amended by BGBl. I No. 164/2013 B-VG Art. 133 valid from 01.01.2014 to 31.07.2014 last amended by BGBl. I No. 51/2012 B-VG Art. 133 valid from 01.01.2004 to 31.12.2013 last amended by BGBl. I No. 100/2003 B-VG Art. 133 valid from 01.01.1975 to December 31, 2003, last amended by BGBl. No. 444/1974 B-VG Art. 133 valid from December 25, 1946 to December 31, 1974, last amended by BGBl. No. 211/1946 B-VG Art. 133 valid from December 19, 1945 to December 24, 1946, last amended by StGBl. No. 4/1945 B-VG Art. 133 valid from January 3, 1930 to June 30, 1934
DSG Art. 1 § 1 today DSG Art. 1 § 1 valid from January 1, 2014 last amended by BGBl. I No. 51/2012 DSG Art. 1 § 1 valid from January 1, 2000 to December 31, 2013
DSG Art. 2 § 24 today DSG Art. 2 § 24 valid from July 15, 2024 last amended by BGBl. I No. 70/2024 DSG Art. 2 § 24 valid from May 25, 2018 to July 14, 2024 last amended by BGBl. I No. 120/2017 DSG Art. 2 § 24 valid from January 1st, 2010 to May 24th, 2018 last amended by BGBl. I No. 133/2009 DSG Art. 2 § 24 valid from January 1st, 2000 to December 31st, 2009
GewO 1994 § 152 today GewO 1994 § 152 valid from August 1st, 2002 last amended by BGBl. I No. 111/2002 GewO 1994 § 152 valid from March 19th, 1994 to July 31st, 2002
Saying
W292 2248672-1/5E
IN THE NAME OF THE REPUBLIC!
The Federal Administrative Court, through Judge Mag. Herwig ZACZEK as chairman and the expert lay judges, Mag.a Martina CHLESTIL and Mag. René BOGENDORFER as assessors, on the complaint of XXXX , represented by Baker McKenzie Rechtsanwälte LLP & Co KG, against points 1 and 2 of the decision of the Data Protection Authority dated October 15, 2021, No. D124.3813 / 2021-0.516.280 (co-participating party: XXXX , represented by Fritsch, Kollmann, Zauhar & Partner Rechtsanwälte), rightly ruled:The Federal Administrative Court, through Judge Mag. Herwig ZACZEK as chairman and the expert lay judges, Mag.a Martina CHLESTIL and Mag. René BOGENDORFER as assessors, on the complaint of the Roman XXXX , represented by Baker McKenzie Rechtsanwälte LLP & Co KG, against the ruling points 1 and 2 of the decision of the data protection authority dated October 15, 2021, ref. D124.3813 / 2021-0.516.280 (party involved: Roman XXXX, represented by Fritsch, Kollmann, Zauhar & Partner Rechtsanwälte), rightly ruled:
A)
The complaint is partially upheld and the contested decision is amended so that its ruling points 1 and 2 now read as follows:
“1. The complaint is upheld and it is determined that
a) XXXX (as the data protection controller) violated the principles for the processing of personal data of lawfulness, processing in good faith and transparency pursuant to Art. 5 (1) (a) GDPR when processing personal data of XXXX (as the data subject) for the purpose of calculating probability forecasts of his future payment behavior ("credit score"); this was because the controller calculated the credit score without having any specific payment experience data on the data subject and did not explain this fact in a sufficiently understandable and transparent manner in the credit report on the data subject, which was provided to XXXX; a) when processing personal data of roman XXXX (as the data protection controller) for the purpose of calculating probability forecasts of his future payment behavior ("credit score"), roman XXXX (as the data subject) violated the principles for the processing of personal data of lawfulness, processing in good faith and transparency pursuant to Article 5, paragraph one, letter a, of the GDPR; this was because the controller calculated the credit score without the existence of any specific payment experience data on the data subject and did not explain this fact in a sufficiently understandable and transparent manner in the credit report on the data subject, which was issued to roman XXXX;
b) the controller has violated the data subject's right to information pursuant to Art. 15 GDPR by not providing the data subject with complete information pursuant to Art. 15 Paragraph 1 Letter h GDPR until the current procedure has been concluded.b) the controller has violated the data subject's right to information pursuant to Article 15 GDPR by not providing the data subject with complete information pursuant to Article 15 Paragraph 1 Letter h GDPR until the current procedure has been concluded.
2. The responsible party is instructed pursuant to Article 58, Paragraph 2, Letter c, GDPR to provide the person concerned with information to the extent of point 1. b) within a period of eight weeks, otherwise execution will take place." 2. The responsible party is instructed pursuant to Article 58, Paragraph 2, Letter c, GDPR to provide the person concerned with information to the extent of point 1. b) within a period of eight weeks, otherwise execution will take place."
B)
The appeal is not admissible pursuant to Article 133, Paragraph 4, B-VG.The appeal is not admissible pursuant to Article 133, Paragraph 4, B-VG.
Text
Reasons for the decision:
I. Procedure: Roman one. Procedure:
I.1. The co-involved party, XXXX, summarized in his data protection complaint of October 4, 2021 to the data protection authority (authority concerned) that he considered that XXXX (complainant in the administrative court proceedings) had violated his right to information under Art. 15 in conjunction with Art. 12 GDPR, his right to data accuracy under Art. 5 Para. 1 lit. d GDPR, the "transparency principle" and the principle of processing in "good faith" under Art. 5 Para. 1 lit. a GDPR, his right to information under Art. 14 in conjunction with Art. 12 GDPR and his right not to be subject to automated decision-making in individual cases, including profiling, under Art. 22 GDPR. Specifically, as part of its commercial activity as a credit agency, XXXX provided one of its contractual partners, XXXX, with information on the (probable) creditworthiness of the party involved in the form of a scoring value upon request. However, the information provided in this way was insufficient because the person responsible had only assigned the party involved and the person affected an "average" creditworthiness, although there was no information on the person affected that could objectively justify this. In addition, the data had been processed without the knowledge of the party involved, which is why Art. 5 Para. 1 lit. a GDPR had been violated. The complainant should also have informed the party involved in accordance with Art. 14 Para. 1 GDPR. In addition, the credit report on the person affected should be qualified as a decision in accordance with Art. 22 Para. 1 GDPR, since it can be assumed that the calculation was carried out using purely automated processing. Roman one.1. The party involved, Roman XXXX, summarized in his data protection complaint of October 4, 2021 to the data protection authority (authority concerned) that he considered that Roman XXXX (complainant in the administrative court proceedings) had violated his right to information under Article 15, in conjunction with Article 12, GDPR, his right to data accuracy under Article 5, paragraph one, letter d, GDPR, with regard to the "transparency principle" and the principle of processing in "good faith" under Article 5, paragraph one, letter a, GDPR, his right to information under Article 14, in conjunction with Article 12, GDPR, and his right not to be subject to automated decision-making in individual cases, including profiling, under Article 22, GDPR. Specifically, as part of its commercial activity as a credit agency, Roman XXXX provided one of its contractual partners, Roman XXXX, with information on the (probable) creditworthiness of the party involved in the form of a scoring value at the latter's request. However, the information provided in this way was insufficient because the person responsible had only assigned the party involved and the person affected an "average" creditworthiness, although there was no information on the person affected that could objectively justify this. In addition, the data had been processed without the knowledge of the party involved, which is why Article 5, paragraph one, letter a, GDPR had been violated. The complainant should also have informed the party involved in accordance with Article 14, paragraph one, GDPR. In addition, the credit report on the person affected should be qualified as a decision in accordance with Article 22, paragraph one, GDPR, because it can be assumed that the calculation was carried out using purely automated processing.
I.2. With the contested decision of the authority concerned dated October 15, 2021, reference number D124.3813 / 2021-05.16.280, the authority upheld the data protection complaint of the co-participating party on the grounds of 1. violation of the principles of data processing, 2. violation of the right to confidentiality, 3. violation of the right to information, 4. violation of the right to information and 5. violation of the right not to be subjected to a decision based exclusively on automated processing and 6. partially granted the applications for the imposition of a processing ban and a fine and found that the complainant had violated the principle of legality and the principle of processing in good faith when processing the data of the co-participating party to calculate the probability statement about its future payment behavior (credit score), since it had carried out this calculation without the existence of concrete payment experience data on the person of the co-participating party and had not taken this fact into account. sufficiently understandable on the credit statement of the co-involved party to XXXX (point 1.a)). Roman one.2. With the contested decision of the authority concerned dated October 15, 2021, reference number D124.3813 / 2021-05.16.280, the authority upheld the data protection complaint of the co-participating party on the grounds of 1. violation of the principles of data processing, 2. violation of the right to confidentiality, 3. violation of the right to information, 4. violation of the right to information and 5. violation of the right not to be subjected to a decision based exclusively on automated processing and 6. partially granted the applications for the imposition of a processing ban and a fine and found that the complainant had violated the principle of legality and the principle of processing in good faith when processing the data of the co-participating party to calculate the probability statement about its future payment behavior (credit score), since it had carried out this calculation without the existence of concrete payment experience data on the person of the co-participating party and had not taken this fact into account. sufficiently understandable on the credit statement of the co-involved party to the Roman XXXX (point 1.a)).
The authority concerned also found that the co-participating party had violated the principle of transparency in the processing of the co-participating party's data referred to in ruling point 1.a), as the co-participating party had not explained in a comprehensible manner whether it was also processing the co-participating party's personal data, which it processed for the purpose of carrying out the credit reporting business, for the purpose of carrying out the business of address publishing and direct marketing companies and the business of providing services in automatic data processing and information technology (ruling point 1.b)).
The authority concerned also found that the complainant had violated the co-participating party's right to confidentiality by unlawfully processing the co-participating party's data (judgment point 1.c)) and that the complainant had violated the co-participating party's right to information by failing to provide the co-participating party with any information pursuant to Art. 15, paragraph 1, letter h of the GDPR until the present proceedings were concluded (judgment point 1.d)).The authority concerned also found that the complainant had violated the co-participating party's right to confidentiality by unlawfully processing the co-participating party's data (judgment point 1.c)) and that the complainant had violated the co-participating party's right to information by failing to provide the co-participating party with any information pursuant to Art. 15, paragraph 1, letter h of the GDPR until the present proceedings were concluded (judgment point 1.d)).
The complainant was instructed by the authority concerned to provide the other party with information within a period of eight weeks, or else execution would result in the case being taken, as to whether it was intended to further process the personal data of the other party concerned for the purposes of carrying out the business of providing credit information for the purposes of carrying out the business of address publishing and direct marketing companies and the business of providing services in automatic data processing and information technology (judgment point 2.a)) and to provide information to the extent of judgment point 1.d) (judgment point 2.b)) .
It otherwise rejected the complaint (judgment point 3.).
The authority concerned rejected the applications for the imposition of a processing ban and for the imposition of a fine (judgment point 4.).
I.3. The complaint filed on November 15, 2021 is directed against points 1 and 2 of the above-mentioned decision of the data protection authority. Roman one.3. The complaint filed on November 15, 2021 is directed against points 1 and 2 of the above-mentioned decision of the data protection authority.
I.4. The authority concerned has submitted the complaint in question, together with the relevant administrative files, to the Federal Administrative Court (hereinafter also referred to as the "BVwG") with a file submission dated November 23, 2021. Roman one.4. The authority concerned has submitted the complaint in question, together with the relevant administrative files, to the Federal Administrative Court (hereinafter also referred to as the "BVwG") with a file submission dated November 23, 2021.
I.5. The legal case in question was taken away from the previously responsible court department by order of the business allocation committee with effect from October 6, 2022 and reassigned to court department W292. Roman one.5. The legal case in question was taken away from the previously responsible court department by order of the business allocation committee with effect from October 6, 2022 and reassigned to court department W292.
II. The Federal Administrative Court has considered: Roman II. The Federal Administrative Court has considered:
II.1. Findings: Roman II.1. Findings:
II.1.1. On the complainant Roman II.1.1. About the complainant
The complainant has a trade license for the activity of "credit reporting agency" in accordance with Section 152 of the Trade Regulation Act 1994. As part of its commercial activity, it provides credit information on natural persons to its contractual partners, including trading companies, telecommunications providers and energy suppliers. The complainant has a trade license for the activity of "credit reporting agency" in accordance with Section 152 of the Trade Regulation Act 1994. As part of its commercial activity, it provides credit information on natural persons to its contractual partners, including trading companies, telecommunications providers and energy suppliers.
II.1.2. About XXXX Roman II.1.2. About Roman XXXX
In September / October 2020, the co-participating party placed an order for an energy supply contract with the energy supplier XXXX using an application form. In September/October 2020, the party involved placed an order for an energy supply contract with the energy supplier roman XXXX using an application form.
In a letter dated October 1, 2020, the party involved was informed by XXXX that the order had been cancelled due to an insufficient credit check. In a letter dated October 1, 2020, the party involved was informed by roman XXXX that the order had been cancelled due to an insufficient credit check.
II.1.3. On the contractual relationship between the complainant and XXXX roman II.1.3. On the contractual relationship between the complainant and XXXX
A contractual relationship for the provision of credit information regarding potential customers of XXXX GmbH existed between the complainant and XXXX from June 30, 2017 to June 30, 2021. A contractual relationship for the provision of credit information regarding potential customers of roman XXXX GmbH existed between the complainant and roman XXXX from June 30, 2017 to June 30, 2021.
II.1.4. On the request for information to the complainant dated October 7, 2020roman II.1.4. On the request for information to the complainant dated October 7, 2020
The co-participating party submitted a request for information to the complainant within the meaning of Art. 15 GDPR on October 7, 2020. The co-participating party submitted a request for information to the complainant within the meaning of Article 15 GDPR on October 7, 2020.
II.1.5. On the complainant's response dated October 8, 2020roman II.1.5. Regarding the complainant's reply letter of October 8, 2020
In a letter dated October 8, 2020, the complainant informed the co-participating party, with reference to the request for information under data protection law dated October 7, 2020, which personal data, namely her name and address, had been stored about her. It was also stated that on October 1, 2020, XXXX made a credit inquiry about the co-participating party to XXXX (complainant). In a letter dated October 8, 2020, the complainant informed the co-participating party, with reference to the request for information under data protection law dated October 7, 2020, which personal data, namely her name and address, had been stored about her. It was also stated that on October 1st, 2020, Roman XXXX made a credit inquiry to Roman XXXX (complainant) regarding the person of the co-involved party.
II.1.6. On the request for information to the complainant dated January 7th, 2021 Roman II.1.6. On the request for information to the complainant dated January 7th, 2021
In a letter dated January 7th, 2021, the co-involved party again requested the complainant to properly comply with its obligation to provide information.
II.1.7. On the complainant's reply dated January 13th, 2021 Roman II.1.7. Regarding the complainant's reply of January 13, 2021
On January 13, 2021, the complainant sent a letter to the co-participating party in which it essentially pointed out that there was no right to information within the meaning of Art. 15 GDPR regarding the creation of the risk values transmitted to customers of the co-participating party and that the parameters and methods used to calculate a risk value were to be qualified as the complainant's trade secret. On January 13, 2021, the complainant sent a letter to the co-participating party in which it essentially pointed out that there was no right to information within the meaning of Article 15 GDPR regarding the creation of the risk values transmitted to customers of the co-participating party and that the parameters and methods used to calculate a risk value were to be qualified as the complainant's trade secret.
II.1.8. On the data protection complaint of the co-participating party Roman II.1.8. On the data protection complaint of the co-participating party
The co-participating party filed a data protection complaint against the complainant with the data protection authority on March 17, 2021.
II.1.9. On the complainant's statement and provision of information dated April 28, 2021 Roman II.1.9. On the complainant's statement and provision of information dated April 28, 2021
In a letter dated April 28, 2021, the complainant informed the co-participating party that no automated decision-making within the meaning of Art. 22 GDPR was taking place and that there was therefore no right to information in accordance with Art. 15 (1)(h) GDPR. The complainant also pointed out again that the information requested by the co-participating party was to be qualified as trade secrets. In a letter dated April 28, 2021, the complainant informed the co-participating party that no automated decision-making within the meaning of Article 22, GDPR was taking place and that there was therefore no right to information pursuant to Article 15, paragraph one, letter h, GDPR. The complainant also pointed out again that the information requested by the co-participating party was to be qualified as trade secrets.
The complainant sent a current data extract to the co-involved party, which listed the personal data it had stored about the co-involved party, as well as the companies to which credit data on the co-involved party was sent, and the value disclosed to them.
The complainant stated that its recommendation [meaning: to the inquiring companies] was calculated in particular on the basis of the parameters "qualified payment defaults (debt collection entries, insolvency, etc.), age and place of residence".
II.1.10. On the calculated credit score Roman II.1.10. On the calculated credit score
Regarding the co-involved party, XXXX (complainant) sent XXXX a "medium" credit score of 550-574. With regard to the co-involved party, there was no negative payment experience data available in the complainant's system to determine the creditworthiness score. With regard to the co-involved party, a "medium" creditworthiness score of 550-574 was sent to the Roman XXXX (complainant) by the Roman XXXX. With regard to the co-involved party, there was no negative payment experience data available in the complainant's system to determine the creditworthiness score.
II.1.11. On the automated profiling of the complainant Roman II.1.11. On the automated profiling of the complainant
It is established that the complainant's recommendation regarding the ability and willingness to pay is calculated based on the statistical probability of the parameters of qualified payment defaults (i.e. debt collection entries, insolvency, etc.), age and place of residence of the person concerned.
The data is collected by the complainant from publicly available sources, data from address publishers and information on payment experiences provided by corporate customers and over 60 debt collection partners. Further processing is carried out electronically.
II.1.12. Regarding the purposes of processing by the complainant: Roman II.1.12. Regarding the processing purposes of the complainant:
The data is stored by the complainant for the purpose of carrying out the trade in accordance with Section 151 (address publishers and direct marketing companies), Section 152 (credit reporting agencies) and Section 153 (automatic data processing and information technology services) of the Trade Regulations 1994 (GewO) for forwarding to the recipient group of the lending industry.The data is stored by the complainant for the purpose of carrying out the trade in accordance with Section 151 (address publishers and direct marketing companies), Section 152 (credit reporting agencies) and Section 153 (automatic data processing and information technology services) of the Trade Regulations 1994 (GewO) for forwarding to the recipient group of the lending industry.
II.2. Evaluation of evidence: Roman II.2. Evaluation of evidence:
The findings made could be made on the basis of the unobjectionable file situation. In detail:
II.2.1. Regarding II.1.1. (Regarding the complainant): Roman II.2.1. Regarding Roman II.1.1. (Regarding the complainant):
The finding that the complainant has a trade license for the activity of “credit information agency” in accordance with Section 152 of the Trade Regulation Act 1994 and, as part of this, provides credit information to its contractual partners, follows from the relevant unobjectionable file situation and the complainant’s website.The finding that the complainant has a trade license for the activity of “credit information agency” in accordance with Section 152 of the Trade Regulation Act 1994 and, as part of this, provides credit information to its contractual partners, follows from the relevant unobjectionable file situation and the complainant’s website.
II.2.2. Regarding II.1.2. (Regarding XXXX): Roman II.2.2. Regarding Roman II.1.2. (Regarding Roman XXXX):
The fact that the co-participating party placed an order for an energy supply contract with the energy supplier XXXX in September/October 2020, but that this was cancelled by letter from XXXX dated October 1st, 2020, is evident in particular from the information provided by the parties in the proceedings before the authority concerned in conjunction with the relevant letter from XXXX dated October 1st, 2020, which states that the co-participating party's order was cancelled due to an insufficient "credit check". The fact that the co-participating party placed an order for an energy supply contract with the energy supplier roman XXXX in September / October 2020, but that this was cancelled by letter from roman XXXX dated October 1st, 2020, is evident in particular from the information provided by the parties in the proceedings before the authority concerned, taken together with the relevant letter from roman XXXX dated October 1st, 2020, which shows that the co-participating party's order was cancelled due to an insufficient "credit check".
II.2.3. Regarding II.1.3. (Regarding the contractual relationship between the complainant and XXXX): roman II.2.3. Regarding roman II.1.3. (On the contractual relationship between the complainant and Roman XXXX):
The fact that a contractual relationship existed between the complainant and XXXX from June 30, 2017 to June 30, 2021 is evident from the complainant's submissions in the proceedings before the authority concerned, in particular from the complainant's letter to XXXX dated October 21, 2020, in which the latter, with reference to the general terms and conditions of the contract dated June 30, 2017, announced that it would terminate the contractual relationship as of June 30, 2021. The fact that a contractual relationship existed between the complainant and roman XXXX from 30 June 2017 to 30 June 2021 is evident from the complainant's submissions in the proceedings before the authority concerned, in particular from the complainant's letter to roman XXXX dated 21 October 2020, in which the latter announced, with reference to the general terms and conditions of the contract dated 30 June 2017, that it would terminate the contractual relationship as of 30 June 2021.
II.2.4. On II.1.4. (On the co-participating party's request for information on data protection law to the complainant dated 7 October 2020):roman II.2.4. On roman II.1.4. (Regarding the co-participating party's request for information under data protection law to the complainant dated October 7, 2020):
The fact that the co-participating party sent a request for information to the complainant on October 7, 2020 undoubtedly follows from the co-participating party's letter to the complainant on this matter.
II.2.5. Regarding II.1.5. (Regarding the complainant's reply letter dated October 8, 2020 to the co-participating party): Roman II.2.5. Regarding Roman II.1.5. (Regarding the complainant's reply letter dated October 8, 2020 to the co-participating party):
The relevant findings could be made on the basis of the letter dated October 8, 2020.
II.2.6. Regarding II.1.6. (Regarding the request for information under data protection law to the complainant dated January 7th, 2021): Roman II.2.6. Regarding Roman II.1.6. (Regarding the request for information under data protection law to the complainant dated January 7th, 2021):
The relevant findings could be made on the basis of the letter dated January 7th, 2021 contained in the administrative act.
II.2.7. Regarding II.1.7. (Regarding the complainant's reply dated January 13th, 2021): Roman II.2.7. Regarding Roman II.1.7. (Regarding the complainant's reply dated January 13th, 2021):
The findings could be made on the basis of the letter to the co-participating party dated January 13th, 2021.
II.2.8. Regarding II.1.8. (On the data protection complaint of the co-participating party)Roman II.2.8. On Roman II.1.8. (On the data protection complaint of the co-participating party)
The fact that the co-participating party filed a data protection complaint against the complainant with the data protection authority on March 17, 2021 was undisputed based on the file.
II.2.9. On II.1.9. (On the complainant's statement and information dated April 28, 2021)Roman II.2.9. On Roman II.1.9. (On the complainant's statement and information dated April 28, 2021)
The relevant findings were made on the basis of the complainant's letter dated April 28, 2021.
II.2.10. On II.1.10. (On the calculated credit score) Roman II.2.10. On Roman II.1.10. (On the calculated credit score)
The fact that the complainant provided XXXX with an "average" credit rating of 550-574 [points in the complainant's system] for the co-involved party, without any specific negative payment experience data being available or included in the calculation of the value, is evident from the consistent statements made by the co-involved party and the complainant in the proceedings before the authority concerned and was therefore undisputed. The fact that the complainant transmitted an "average" credit rating of 550-574 [points in the complainant's system] to roman XXXX with regard to the co-participating party, without any specific negative payment experience data being available or taken into account in calculating the value, is evident from the consistent statements made by the co-participating party and the complainant in the proceedings before the authority concerned and was therefore undisputed.
II.2.11. Re II.1.11. (Regarding the automated profiling of the complainant): roman II.2.11. Re roman II.1.11. (On the automated profiling of the complainant):
The findings regarding the calculation of the credit score by the complainant, the origin of the data and the fact that it is processed electronically could be made on the basis of her own information, in particular on the basis of the statements in the statement of April 28, 2021 in the proceedings before the authority concerned, in which the complainant stated that her recommendations regarding the ability and willingness to pay of certain natural persons are calculated on the basis of statistical probabilities, in particular the parameters of qualified payment defaults (debt collection entries, insolvency, etc.), age and place of residence of the person concerned.
II.2.12. Regarding II.1.12. (On the purposes of processing by the complainant): Roman II.2.12. Regarding Roman II.1.12. (On the purposes of processing by the complainant):
The fact that the data is stored by the complainant for the purpose of carrying out the trades in accordance with Section 151 (address publishers and direct marketing companies), Section 152 (credit reporting agencies) and Section 153 (services in automatic data processing and information technology) of the Trade Code 1994 (GewO) for forwarding to the recipient group of the lending industry is evident from the complainant's statement of October 8, 2020 and that of April 28, 2021. The submitted data protection declaration also shows that the complainant's data is used to carry out the business of credit information agency in accordance with Section 152 of the Trade Regulations 1994 and address publishing in accordance with Section 151 of the Trade Regulations 1994. The fact that the complainant's data is stored for the purpose of carrying out the business in accordance with Paragraph 151 (address publishing and direct marketing companies), Paragraph 152 (credit information agencies) and Paragraph 153 (services in automatic data processing and information technology) of the Trade Regulations 1994 (GewO) for forwarding to the recipient group of the lending industry is evident from the complainant's statement of October 8, 2020 and that of April 28, 2021. The data protection declaration submitted also shows that the complainant's data will be used to carry out the business of providing credit information in accordance with Section 152 of the Trade Regulations 1994 and of providing address publishing in accordance with Section 151 of the Trade Regulations 1994.
II.3. Legal assessment: Roman II.3. Legal assessment:
According to Section 6 of the BVwGG, the Federal Administrative Court decides by a single judge, unless federal or state laws provide for decisions by senates.According to Section 6 of the BVwGG, the Federal Administrative Court decides by a single judge, unless federal or state laws provide for decisions by senates.
Since the subject matter of the complaint is a decision by the data protection authority, the senate has jurisdiction in accordance with Section 27 of the DSG. Since the subject matter of the complaint is a decision by the data protection authority, the senate has jurisdiction in accordance with Section 27 of the DSG.
II.3.1. On ruling point A) - amendment of ruling points 1 and 2 of the contested decision: Roman II.3.1. On ruling point A) - amendment of ruling points 1 and 2 of the contested decision:
II.3.1.1. Applicable law: Roman II.3.1.1. Applicable law:
The relevant provisions of the Federal Law on the Protection of Natural Persons with Respect to the Processing of Personal Data (Data Protection Act - DSG) as amended by Federal Law Gazette I No. 24/2018, read in extracts including the heading as follows:The relevant provisions of the Federal Law on the Protection of Natural Persons with Respect to the Processing of Personal Data (Data Protection Act - DSG) as amended by Federal Law Gazette Part One, No. 24 of 2018, read in extracts including the heading as follows:
"Basic right to data protection
§ 1. (1) Everyone has the right to keep personal data concerning him or her confidential, in particular with regard to respect for his or her private and family life, insofar as there is a legitimate interest in doing so. The existence of such an interest is excluded if data cannot be subject to a claim of confidentiality due to their general availability or because they cannot be traced back to the person concerned. Paragraph one, (1) Everyone has the right to keep personal data concerning him or her confidential, in particular with regard to respect for his or her private and family life, provided that there is a legitimate interest in doing so. The existence of such an interest is excluded if data cannot be subject to a claim of confidentiality due to their general availability or because they cannot be traced back to the person concerned.
(2) If the use of personal data is not in the vital interest of the person concerned or with his or her consent, restrictions on the right to confidentiality are only permissible to protect the overriding legitimate interests of another person, and in the case of interventions by a state authority only on the basis of laws that are necessary for the reasons stated in Article 8 paragraph 2 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), Federal Law Gazette No. 210/1958. Such laws may only provide for the use of data which, by their nature, are particularly worthy of protection in order to safeguard important public interests and must at the same time establish appropriate guarantees for the protection of the confidentiality interests of those affected. Even in the case of permissible restrictions, the interference with the fundamental right may only be carried out in the mildest way that achieves the objective.(2) Insofar as the use of personal data is not in the vital interest of the person concerned or with his consent, restrictions on the right to confidentiality are only permissible in order to safeguard the overriding legitimate interests of another person, and in the case of interventions by a state authority only on the basis of laws which are necessary for the reasons set out in Article 8, paragraph 2, of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), Federal Law Gazette No. 210 of 1958. Such laws may only provide for the use of data which, by their nature, are particularly worthy of protection in order to safeguard important public interests and must at the same time establish appropriate guarantees for the protection of the confidentiality interests of those affected. Even in the case of permissible restrictions, the interference with the fundamental right may only be carried out in the mildest way that achieves the goal.
[…]“
“Complaint to the data protection authority
§ 24. (1) Every data subject has the right to complain to the data protection authority if they believe that the processing of personal data concerning them violates the GDPR or § 1 or Article 2, Chapter 1.Paragraph 24, (1) Every data subject has the right to complain to the data protection authority if they believe that the processing of personal data concerning them violates the GDPR or paragraph 1 or Article 2, Chapter 1.
(2) The complaint must contain:
1. the designation of the right considered to have been violated,
2. as far as this is reasonable, the designation of the legal entity or body to which the alleged violation of law is attributed (respondent),
3. the facts from which the violation of law is derived,
4. the reasons on which the allegation of illegality is based,
5. the request to establish the alleged violation of law and
6. the information required to assess whether the complaint was submitted in time.
(3) A complaint must be accompanied by the underlying application and any response from the respondent, if applicable. In the event of a complaint, the data protection authority must provide further support at the request of the person concerned.
[…]“
The relevant provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119 of 4 May 2016, hereinafter: GDPR, read in extracts including the heading:
“Article 4
Definitions
For the purposes of this Regulation, the following terms shall apply:
(1) “personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); a natural person is considered identifiable if he or she can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more special characteristics that express the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(2) ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or linking, restriction, erasure or destruction;
…
4. "profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
…
(7) "controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are specified by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
(10) "third party" means a natural or legal person, public authority, agency or other body, other than the data subject, the controller, the processor and the persons authorised to process the personal data under the direct responsibility of the controller or processor;
…
Article 5
Principles for the processing of personal data
(1) Personal data must
a) be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
b) be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered incompatible with the original purposes in accordance with Article 89(1) (‘purpose limitation’);
c) be adequate, relevant and limited to what is necessary for the purposes of the processing (‘data minimisation’);
d) be accurate and, where necessary, kept up to date; every reasonable step shall be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for a longer period provided that the personal data are necessary for the purposes for which they are processed, subject to the implementation of appropriate technical and organisational measures required by this Regulation to safeguard the rights and freedoms of the data subject,processed solely for archiving purposes in the public interest or for scientific and historical research purposes or statistical purposes in accordance with Article 89(1) ('storage limitation');
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures ('integrity and confidentiality');
(2) The controller shall be responsible for compliance with paragraph 1 and shall be able to demonstrate compliance with it ('accountability')."
Article 6
Lawfulness of processing
(1) Processing shall be lawful only if at least one of the following conditions is met:
a) the data subject has given consent to the processing of personal data concerning him or her for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
d) processing is necessary to protect the vital interests of the data subject or of another natural person;
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their duties.
(2) Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for the purpose of complying with points (c) and (e) of paragraph 1 by specifying more precisely specific processing requirements and other measures to ensure lawful and fair processing, including for other specific processing situations as set out in Chapter IX.(2) Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for the purpose of complying with points (c) and (e) of paragraph 1 by specifying more precisely specific processing requirements and other measures to ensure lawful and fair processing, including for other specific processing situations as set out in Chapter IX.
(3) The legal basis for the processing operations referred to in points (c) and (e) of paragraph 1 shall be:
(a) Union law; or
(b) Member State law to which the controller is subject.
The purpose of the processing must be specified in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, must be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions adapting the application of the rules of this Regulation, inter alia, provisions on the general conditions governing the lawfulness of processing by the controller, the types of data processed, the data subjects concerned, the entities to which and for which purposes the personal data may be disclosed, the purpose limitation, the storage period and the processing operations and procedures to be applied, including measures to ensure lawful and fair processing such as those for other specific processing situations referred to in Chapter IX. Union or Member State law must pursue an objective in the public interest and be proportionate to the legitimate purpose pursued. The purpose of the processing must be specified in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, it must be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of the rules of this Regulation, including provisions on the general conditions governing the lawfulness of processing by the controller, the types of data processed, the data subjects concerned, the entities to which and for which purposes the personal data may be disclosed, the purpose limitation, the storage period and the processing operations and procedures to be applied, including measures to ensure lawful and fair processing, such as those for other specific processing situations referred to in Chapter IX. Union or Member State law must pursue an objective in the public interest and be proportionate to the legitimate purpose pursued.
(4) Where processing for a purpose other than that for which the personal data were collected is not based on the consent of the data subject or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to protect the objectives referred to in Article 23(1), the controller shall, in order to determine whether processing for another purpose is compatible with that for which the personal data were initially collected, take into account, inter alia:
(a) any link between the purposes for which the personal data were collected and the purposes of the intended further processing;
(b) the context in which the personal data were collected, in particular as regards the relationship between the data subjects and the controller;
(c) the nature of the personal data, in particular whether special categories of personal data are processed pursuant to Article 9 or whether personal data relating to criminal convictions and offences are processed pursuant to Article 10;
(d) the possible consequences of the intended further processing for the data subjects;
(e) the Existence of appropriate safeguards, which may include encryption or pseudonymisation.
[…]
Article 12
Transparent information, communication and modalities for exercising the data subject's rights
(1) The controller shall take appropriate measures to provide the data subject with all information referred to in Articles 13 and 14 and all communications referred to in Articles 15 to 22 and Article 34 relating to processing in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for information specifically addressed to children. The information shall be provided in writing or in another form, including, where appropriate, electronically. If requested by the data subject, the information may be provided orally, provided that the identity of the data subject has been proven by other means.
(2) The controller shall facilitate the exercise of the data subject's rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller may refuse to act on the data subject's request to exercise his or her rights under Articles 15 to 22 only if the controller demonstrates that it is not in a position to identify the data subject.
(3) The controller shall provide the data subject with information on the action taken on the request pursuant to Articles 15 to 22 without undue delay and in any event within one month of receipt of the request. That period may be extended by a further two months where necessary taking into account the complexity and number of requests. The controller shall inform the data subject of any extension of the time limit within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request electronically, the information shall be provided electronically wherever possible, unless the data subject indicates otherwise.
(4) Where the controller does not act on the data subject's request, it shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not acting and of the possibility to lodge a complaint with a supervisory authority or to seek judicial redress.
(5) Information pursuant to Articles 13 and 14 and all communications and measures pursuant to Articles 15 to 22 and Article 34 shall be provided free of charge. In the case of manifestly unfounded or excessive requests from a data subject, in particular if repetitive, the controller may either:
(a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or of implementing the requested measure; or
(b) refuse to act on the request.
The controller shall provide evidence of the manifestly unfounded or excessive nature of the request.
(6) Without prejudice to Article 11, where the controller has reasonable doubts as to the identity of the natural person making the request pursuant to Articles 15 to 21, the controller may request additional information necessary to confirm the identity of the data subject.
(7) The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to provide a meaningful overview of the intended processing in an easily perceptible, intelligible and clearly comprehensible form. If the icons are presented in electronic form, they shall be machine-readable.
(8) The Commission shall be empowered to adopt delegated acts in accordance with Article 92 specifying the information to be presented by icons and the procedures for providing standardised icons.”
Article 13
Information obligation when personal data are collected from the data subject
(1) Where personal data are collected from the data subject, the controller shall communicate to the data subject at the time of collection of those data:
a) the name and contact details of the controller and, where applicable, of his representative;
b) the contact details of the data protection officer, where applicable;
c) the purposes for which the personal data are to be processed and the legal basis for the processing;
d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
(e) where applicable, the recipients or categories of recipients of the personal data; and
(f) where applicable, the intention of the controller to transfer the personal data to a third country or to an international organisation, as well as the existence or absence of an adequacy decision by the Commission, or, in the case of transfers pursuant to Article 46 or Article 47 or the second subparagraph of Article 49(1), a reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they are available.
(2) In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following further information at the time of collecting those data, which is necessary to ensure fair and transparent processing:
(a) the period for which the personal data will be stored, or, where that is not possible, the criteria used to determine that period;
b) the existence of a right to obtain from the controller information about the personal data concerned, as well as to rectification or erasure or to restriction of processing or to object to processing, as well as the right to data portability;
c) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of a right to withdraw consent at any time, without affecting the lawfulness of processing carried out on the basis of the consent until its withdrawal;
d) the existence of a right to lodge a complaint with a supervisory authority;
e) whether the provision of the personal data is required by law or contract or is necessary to enter into a contract, whether the data subject is obliged to provide the personal data and the possible consequences of non-provision of the data, and
f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.
(3) Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall, before such further processing, provide the data subject with information about that other purpose and any other relevant information referred to in paragraph 2.
(4) Paragraphs 1, 2 and 3 shall not apply if and to the extent that the data subject already has the information.”
Article 14
Information obligation where the personal data were not collected from the data subject
(1) Where personal data are not collected from the data subject, the controller shall communicate to the data subject:
a) the name and contact details of the controller and, where applicable, of his or her representative;
b) in addition, the contact details of the data protection officer;
c) the purposes for which the personal data are to be processed and the legal basis for the processing;
d) the categories of personal data being processed;
e) where applicable, the recipients or categories of recipients of the personal data;
(f) where applicable, the intention of the controller to transfer the personal data to a recipient in a third country or to an international organisation and the existence or absence of an adequacy decision by the Commission, or, in the case of transfers pursuant to Article 46 or Article 47 or the second subparagraph of Article 49(1), a reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they are available.
(2) In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing for the data subject:
(a) the period for which the personal data will be stored, or, if that is not possible, the criteria used to determine that period;
(b) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
c) the existence of a right to obtain from the controller information about the personal data concerned, as well as to rectification or erasure or restriction of processing, and a right to object to processing, as well as a right to data portability;
d) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of a right to withdraw consent at any time, without affecting the lawfulness of processing carried out on the basis of the consent until its withdrawal;
e) the existence of a right to lodge a complaint with a supervisory authority;
f) the source of the personal data, and, where applicable, whether they come from publicly accessible sources;
g) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.
(3) The controller shall provide the information referred to in paragraphs 1 and 2:
(a) within a reasonable period of obtaining the personal data, taking into account the specific circumstances of the processing of the personal data, but no later than one month;
(b) where the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to him or her; or,
(c) where disclosure to another recipient is intended, at the latest at the time of the first disclosure.
(4) Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject with information about that other purpose and any other relevant information referred to in paragraph 2 before such further processing.
(5) Paragraphs 1 to 4 shall not apply if and to the extent that:
(a) the data subject already has the information;
(b) providing such information would prove impossible or involve disproportionate effort; this applies in particular to processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, subject to the conditions and safeguards referred to in Article 89(1), or where the obligation referred to in paragraph 1 of this Article is likely to make the achievement of the objectives of that processing impossible or seriously compromises In such cases, the controller shall take appropriate measures to protect the rights and freedoms and legitimate interests of the data subject, including making such information available to the public,
c) the acquisition or disclosure is explicitly regulated by Union or Member State law to which the controller is subject and which provides for appropriate measures to protect the legitimate interests of the data subject, or
d) the personal data are subject to a duty of professional secrecy, including a statutory obligation of secrecy, by Union or Member State law and must therefore be kept confidential.
Article 15
Right of access of the data subject
(1) The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed; where this is the case, access to those personal data and the following information:
a) the purposes of the processing;
b) the categories of personal data being processed;
c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of the personal data concerning him or her or to object to such processing
f) the existence of the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source;
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.
(2) Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards in accordance with Article 46 relating to the transfer.
(3) The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on the administrative costs. Where the data subject makes the request electronically, the information shall be provided in a commonly used electronic format, unless the data subject specifies otherwise.
(4) The right to receive a copy pursuant to paragraph 1b shall not adversely affect the rights and freedoms of others.”
Article 22
Automated individual decisions, including profiling
(1) The data subject shall have the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
(2) Paragraph 1 shall not apply if the decision
a) is necessary for entering into, or the performance of, a contract between the data subject and the controller,
b) is authorized by Union or Member State law to which the controller is subject, and that law contains suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, or
c) is based on the data subject's explicit consent.
(3) In the cases referred to in points (a) and (c) of paragraph 2, the controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and contest the decision.
(4) Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless points (a) or (g) of Article 9(2) apply and suitable measures to protect the data subject's rights and freedoms and legitimate interests have been taken.
Paragraph 152 of the Trade Regulations 1994 (GewO 1994), Federal Law Gazette I No. 111/2002, reads with the heading: Paragraph 152 of the Trade Regulations 1994 (GewO 1994), Federal Law Gazette Part One, No. 111 of 2002, reads with the heading:
"Credit reporting agencies
(1) Business operators who are authorized to operate credit reporting agencies are not authorized to provide information about private circumstances that are not related to creditworthiness.
(2) The business operators named in paragraph 1 are obliged to keep their business correspondence and business records for seven years. The seven-year period runs from the end of the calendar year in which the correspondence took place or the last entry was made in the business record. If the trade license is terminated, the correspondence and business books must be destroyed, even if the seven-year period has not yet elapsed.”(2) The traders named in paragraph one are obliged to keep their business correspondence and business books for seven years. The seven-year period runs from the end of the calendar year in which the correspondence took place or the last entry was made in the business book. If the trade license is terminated, the correspondence and business books must be destroyed, even if the seven-year period has not yet elapsed.”
II.3.1.2. In this case, the party involved (hereinafter also: “data subject”) essentially argued in its submissions to the authority concerned that the complainant (hereinafter also “data controller”) had calculated a “credit score” for her without her knowledge and subsequently forwarded this to XXXX, the controller’s contractual partner, at its request. The calculation of this "credit score" was carried out without any payment experience data on the party involved and therefore led to an incorrect result. Roman II.3.1.2. In relation to the case, the party involved (hereinafter also: "data subject") essentially argued in its submissions to the authority concerned that the complainant (hereinafter also "data controller") had calculated a "credit score" on her person without her knowledge and subsequently forwarded this to Roman XXXX, the controller's contractual partner, at its request. The calculation of this "credit score" was carried out without any payment experience data on the party involved and therefore led to an incorrect result.
II.3.1.3. As regards the violation of the principles of data processing (point 1.a) of the contested decision), it was first necessary to examine whether the complainant, as the data controller, had violated the principle of legality and the principle of processing in good faith pursuant to Art. 5, Paragraph 1, Letter a of GDPR when processing the personal data of the co-participating party as the data subject. Roman II.3.1.3. As regards the violation of the principles of data processing (point 1.a) of the contested decision), it was first necessary to examine whether the complainant, as the data controller, had violated the principle of legality and the principle of processing in good faith pursuant to Article 5, Paragraph 1, Letter a of GDPR when processing the personal data of the co-participating party as the data subject.
It should be noted at this point that the argumentation of the complainant in the context of her appeal against the decision, according to which a violation of the principles of legality and data processing in good faith (Article 5, paragraph 1, letter a, GDPR) cannot be made the subject of a complaint under Section 24 of the Data Protection Act [and Article 77 of the GDPR], could not be followed from the point of view of the deciding Senate. It should be noted at this point that the argumentation of the complainant in the context of her appeal against the decision, according to which a violation of the principles of legality and data processing in good faith (Article 5, paragraph one, letter a, GDPR) cannot be made the subject of a complaint under Section 24 of the Data Protection Act [and Article 77 of the GDPR], could not be followed from the point of view of the deciding Senate.
The fact that the data protection authority could only determine a violation of subjective rights in those cases in which the person concerned explicitly relies on a right under the provisions of Chapter III "Rights of the data subject", i.e. Art. 12ff GDPR, cannot be derived from either Section 24 DSG - or from Art. 77 GDPR. In connection with Art. 77 GDPR, the data protection authority is obliged to make a decision whenever the person concerned "believes that the processing of personal data concerning him or her violates this Regulation". Contrary to the complainant's legal opinion, however, Art. 77 GDPR does not contain a restriction on the rights of the person concerned in accordance with Art. 12ff GDPR, but a person concerned can base a violation of rights on any provision of the GDPR, provided that the processing of personal data in violation of the GDPR also leads to a violation of the legal position of the person concerned (see Jahnel, Commentary on the General Data Protection Regulation Art. 77 GDPR, para. 11f). The fact that the data protection authority could only determine a violation of subjective rights in those cases in which the person concerned explicitly relies on a right under the provisions of Chapter III "Rights of the data subject", i.e. Articles 12 f, f, GDPR, cannot be derived from either Paragraph 24, DSG - or Article 77, GDPR. In connection with Article 77, GDPR, the data protection authority is obliged to make a decision whenever the person concerned "believes that the processing of personal data concerning him or her violates this regulation". Contrary to the complainant's legal opinion, however, Article 77, GDPR does not contain a restriction on the rights of the person concerned in accordance with Articles 12 f, f, GDPR, but rather a person concerned can base a violation of rights on any provision of the GDPR, provided that the processing of personal data in violation of the GDPR also leads to a violation of the legal position of the person concerned (see Jahnel, Commentary on the General Data Protection Regulation Article 77, GDPR, para. 11f).
The ECJ has also already stated that Article 77 GDPR is sufficiently clear, precise and unconditional and thus directly applicable (cf. ECJ 16.1.2024, C-33/22, Austrian Data Protection Authority, para. 62). According to its wording, Article 77 paragraph 1 GDPR does not refer to a violation of rights, but to a violation of the GDPR by the data processing. However, this does not contradict the assumption that violations of the principles of Art. 5 (1) GDPR (as in the case-specific case according to its letters a and d) can be asserted in a complaint under Art. 77 GDPR, provided that this violation concerns the processing of personal data concerning the complainant (here the co-participant) (cf. VwGH of March 6, 2024, Ro 2021/04/0030, para. 49). The ECJ has also already stated that Article 77, GDPR is sufficiently clear, precise and unconditional and thus directly applicable (cf. ECJ January 16, 2024, C-33/22, Austrian Data Protection Authority, para. 62). According to its wording, Article 77, paragraph 1, GDPR does not refer to a violation of rights, but to a violation of the GDPR in the data processing. However, this does not contradict the assumption that violations of the principles of Article 5, paragraph 1, GDPR (as in the case of the case according to its letters a and d) can be asserted in and of themselves in a complaint under Article 77, GDPR, provided that this violation concerns the processing of personal data concerning the complainant (here, therefore, the co-participant) (cf. VwGH of 06.03.2024, Ro 2021/04/0030, para. 49).
II.3.1.4. The term “profiling” is defined by the legal definition in Article 4(10) of the GDPR as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”. Roman II.3.1.4. The term “profiling” is defined by the legal definition in Article 4(10) of the GDPR as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.
II.3.1.5. First of all, it should be pointed out that, according to the settled case law of the Court of Justice of the European Union, any processing of personal data must comply with the principles for the processing of personal data set out in Art. 5 GDPR and, in view of the principle of lawfulness of processing provided for in Art. 5(1)(a), must meet one of the conditions for lawfulness of processing set out in Art. 6 of that regulation (see ECJ of December 7, 2023, C-634/21, para. 67 and the case law cited therein). The controller must be able to demonstrate compliance with these principles in accordance with the principle of accountability set out in Art. 5(2) GDPR (see ECJ of October 20, 2022, C-77/21, para. 24).Roman II.3.1.5. First of all, it should be pointed out that, according to the settled case law of the Court of Justice of the European Union, any processing of personal data must comply with the principles for the processing of personal data set out in Article 5 of the GDPR and, in view of the principle of lawfulness of processing provided for in Article 5, paragraph one, letter a, must meet one of the conditions for the lawfulness of processing set out in Article 6 of this Regulation (see ECJ of December 7, 2023, C-634/21, para. 67 and the case law cited therein). The controller must be able to demonstrate compliance with these principles in accordance with the principle of accountability set out in Article 5, paragraph 2 of the GDPR (see ECJ of October 20, 2022, C-77/21, para. 24).
With regard to the legality of processing personal data, Article 6, paragraph 1 of the GDPR contains an exhaustive and conclusive list of six cases (for the previous provision, Article 7 of the GDPR: ECJ 24.11.2011, combined cases C-468/10 and C-469/10, ASNEF, para. 30 ff; 19.10.2016, C-582/14, Breyer, para. 57). With regard to the legality of processing personal data, Article 6, paragraph 1 of the GDPR contains an exhaustive and conclusive list of six cases (for the previous provision, Article 7 of the GDPR: ECJ 24.11.2011, combined cases C-468/10 and C-469/10, ASNEF, para. 30 ff; 19.10.2016, C-582/14, Breyer, para. 57).
In the present case, in the absence of consent from the data subject or in the absence of a corresponding contractual relationship between the parties, the only permissible basis is Article 6, Paragraph 1, Letter f, GDPR - thus the exercise of a legitimate interest in data processing by the controller or a third party. In the present case, in the absence of consent from the data subject or in the absence of a corresponding contractual relationship between the parties, the only permissible basis is Article 6, Paragraph 1, Letter f, GDPR - thus the exercise of a legitimate interest in data processing by the controller or a third party.
According to the consistent case law of the European Court of Justice, the processing of personal data on the basis of Art. 6 (1) (f) GDPR is permissible under three cumulative conditions: 1. the legitimate interest pursued by the controller or the third party(s) to whom the data is transmitted, 2. the necessity of processing the personal data to achieve the legitimate interest, and 3. the fundamental rights and freedoms of the person affected by the processing do not outweigh the legitimate interest pursued (cf. ECJ, judgment of 4 May 2017, C-13/16, Rīgas satiksme, para. 28; 11 December 2019, C-708/18, TK v Asociaţia de Proprietari bloc M5A-ScaraA, para. 40; OGH 2 February 2022, 6 Ob 129/21w; 6 Ob 67/22d). According to the consistent case law of the European Court of Justice, the processing of personal data on the basis of Article 6, paragraph one, letter f, GDPR is permissible under three cumulative conditions: 1. Pursuance of a legitimate interest by the controller or the third party(s) to whom the data is transmitted, 2. Necessity of processing the personal data to achieve the legitimate interest and 3. the fundamental rights and freedoms of the person affected by the processing do not outweigh the perceived legitimate interest (cf. ECJ, judgment of 4 May 2017, C-13/16, Rīgas satiksme, para. 28; 11 December 2019, C-708/18, TK v Asociaţia de Proprietari bloc M5A-ScaraA, para. 40; OGH 02.02.2022, 6 Ob 129/21w; 6 Ob 67/22d).
II.3.1.5.1. In this context, the recent judgment of the Court of Justice of the European Union of 07.12.2023, OQ / Land Hessen, C‑634/21, had to be discussed in more detail, in which the ECJ made the following findings in connection with the activities of credit reporting agencies in determining probability values for credit assessment: Roman II.3.1.5.1. In this context, the recent judgment of the Court of Justice of the European Union of December 7, 2023, OQ / Land Hessen, C‑634/21, had to be discussed in more detail, in which the ECJ made the following findings in connection with the activities of credit reporting agencies in determining probability values for credit assessment:
"... Article 22 paragraph 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) is to be interpreted as meaning that"... Article 22, paragraph one, of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) is to be interpreted as meaning that
an “automated individual decision” within the meaning of this provision exists if a probability value based on personal data relating to a person with regard to that person’s ability to meet future payment obligations is created automatically by a credit agency, provided that this probability value is the decisive factor in determining whether a third party to whom this probability value is transmitted establishes, implements or terminates a contractual relationship with that person.”
As the Court of Justice of the European Union stated in the above-mentioned decision, Article 22(1) GDPR grants the data subject the “right” not to be subjected to a decision based exclusively on automated processing – including profiling. As can be seen from Article 22(2) GDPR in conjunction with Recital 71 of that regulation, the adoption of a decision based solely on automated processing is only permissible in the cases referred to in Article 22(2), i.e. if it is necessary for entering into or fulfilling a contract between the data subject and the controller (lit. a), if it is permitted by Union or Member State law to which the controller is subject (lit. b), or if it is based on the data subject’s explicit consent (lit. c) (see paragraph 53 of the judgment in question). As the Court of Justice of the European Union stated in the above-mentioned decision, Article 22(1) GDPR grants the data subject the “right” not to be subjected to a decision based solely on automated processing – including profiling. As can be seen from Article 22, paragraph 2, GDPR in conjunction with Recital 71 of this Regulation, the adoption of a decision based solely on automated processing is only permissible in the cases referred to in Article 22, paragraph 2, i.e. if it is necessary for entering into or fulfilling a contract between the data subject and the controller (point a), if it is permitted by Union or Member State law to which the controller is subject (point b), or if it is made with the data subject's explicit consent (point c); see paragraph 53 of the judgment in question).
Furthermore, in the case of automated decision-making, such as that within the meaning of Article 22, paragraph 1 GDPR, the controller is subject to additional information obligations under Article 13, paragraph 2, letter f and Article 14, paragraph 2, letter g of this Regulation. On the other hand, according to Article 15(1)(h) GDPR, the data subject has a right of information from the controller, which in particular concerns “meaningful information about the logic involved, as well as the scope and intended effects of such processing for the data subject” (cf. paragraph 56 of the judgment). Furthermore, in the case of automated decision-making, such as that within the meaning of Article 22(1) GDPR, the controller is subject to additional information obligations under Article 13(2)(f) and Article 14(2)(g) of this regulation. On the other hand, according to Article 15(1)(h) GDPR, the data subject has a right of information from the controller, which in particular concerns “meaningful information about the logic involved, as well as the scope and intended effects of such processing for the data subject” (cf. paragraph 56 of the judgment).
These increased requirements for the legality of automated decision-making, as well as the additional information obligations of the controller and the associated additional information rights of the data subject, follow from the purpose pursued by Art. 22 GDPR, which is to protect individuals from the particular risks to their rights and freedoms associated with the automated processing of personal data - including profiling (para. 57 of the judgment in question).These increased requirements for the legality of automated decision-making, as well as the additional information obligations of the controller and the associated additional information rights of the data subject, follow from the purpose pursued by Article 22 GDPR, which is to protect individuals from the particular risks to their rights and freedoms associated with the automated processing of personal data - including profiling (para. 57 of the judgment in question).
These increased requirements for the legality of automated decision-making, as well as the additional information obligations of the controller and the associated additional information rights of the data subject, follow from the purpose pursued by Article 22 GDPR, which is to protect individuals from the particular risks to their rights and freedoms associated with the automated processing of personal data - including profiling (para. 57 of the judgment in question). In its decision, the ECJ stated that in circumstances such as those in the main proceedings, in which three actors are involved, there is a risk of Article 22 of the GDPR being circumvented and, consequently, there is a gap in legal protection if preference is given to a narrow interpretation of this provision, according to which the determination of the probability value is to be regarded only as a preparatory act and only the act carried out by the third party can, if appropriate, be classified as a “decision” within the meaning of Article 22(1) of this regulation. Furthermore, in paragraph 61 of its decision, the ECJ stated that in circumstances such as those in the main proceedings, in which three actors are involved, there is a risk of Article 22 of the GDPR being circumvented and, consequently, there is a gap in legal protection if preference is given to a narrow interpretation of this provision, according to which the determination of the probability value is to be regarded only as a preparatory act and only the act carried out by the third party can, if appropriate, be classified as a “decision” within the meaning of Article 22(1) of this regulation.
As the ECJ finally stated in paragraph 67 of its decision, As the ECJ states in paragraph 67 of its judgment, referring to established case law, any processing of personal data must comply with the principles for the processing of personal data set out in Article 5 of the GDPR and, in view of the principle of lawfulness of processing set out in Article 5(1)(a), meet one of the conditions for the lawfulness of processing set out in Article 6 of this Regulation. Finally, as the ECJ states in paragraph 67 of its judgment, referring to established case law, any processing of personal data must comply with the principles for the processing of personal data set out in Article 5 of the GDPR and, in view of the principle of lawfulness of processing set out in Article 5(1)(a), meet one of the conditions for the lawfulness of processing set out in Article 6 of this Regulation.
If the law of a Member State allows the adoption of a decision based solely on automated processing pursuant to Article 22(2)(b) of the GDPR – the ECJ continues – that processing must therefore fulfil not only the conditions laid down in the latter provision and in Article 22(4) of the GDPR, but also the requirements set out in Articles 5 and 6 of that Regulation. Consequently, Member States may not adopt legislation pursuant to Article 22(2)(b) of the GDPR which allows profiling in breach of the requirements of Articles 5 and 6 as interpreted by the Court of Justice (see paragraph 68 of the judgment).If the legislation of a Member State allows the adoption of a decision based solely on automated processing pursuant to Article 22(2)(b) of the GDPR - the ECJ continues -, this processing must therefore not only meet the conditions set out in the latter provision and in Article 22(4) of the GDPR, but also the requirements set out in Articles 5 and 6 of this Regulation. Consequently, Member States may not adopt legislation pursuant to Article 22(2)(b) of the GDPR which allows profiling in breach of the requirements of Articles 5 and 6 as interpreted by the Court of Justice (see paragraph 68 of the judgment).
II.3.1.5.2. From all of this, however, it follows in the specific case that the complainant's argument that it itself does not carry out automated decision-making within the meaning of Art. 22 GDPR when calculating probability values for assessing the creditworthiness of natural persons and providing this information to their customers (third parties) was to be rejected in light of the ECJ decision of December 7, 2023 presented above. Rather, the complainant, as a credit agency, automatically created a probability value based on personal data with regard to the ability of the co-participating party to meet future payment obligations and this probability value was the decisive criterion for the co-participating party being simply refused to conclude an energy supply contract by XXXX. Roman II.3.1.5.2. From all of this, however, it follows in the specific case that the complainant's argument that it itself does not carry out automated decision-making within the meaning of Article 22 of the GDPR when calculating probability values for assessing the creditworthiness of natural persons and providing this information to their customers (third parties) was to be rejected in light of the ECJ decision of December 7, 2023 presented above. Rather, the complainant, as a credit agency, automatically created a probability value based on personal data with regard to the ability of the co-participating party to meet future payment obligations and this probability value was the decisive criterion for the co-participating party being refused an energy supply contract without further ado by Roman XXXX.
In this context, reference should also be made to the VwGH decision of December 21, 2023, Ro 2021/04/0010. In it, the Administrative Court referred to the ECJ's statements in the judgment in Case C-634/21, according to which profiling itself constitutes an "automated decision in an individual case" within the meaning of Art. 22 (1) GDPR if the result of this automated processing is decisive for a specific - further - decision insofar as the actions of the third party are "significantly guided" by the profiling in question and thus significantly affect the person concerned. It is already clear from the content of the first question referred that the actions of the third party to whom the probability value is transmitted are "significantly" guided by this value. According to the findings of fact of the referring court, in the case of a credit application submitted by a consumer to a bank, an insufficient probability value leads in almost all cases to the bank refusing to grant the requested credit. In this context, reference should also be made to the decision of the VwGH of December 21, 2023, Ro 2021/04/0010. In it, the Administrative Court referred to the ECJ's statements in the judgment in Case C-634/21, according to which profiling itself constitutes an "automated decision in an individual case" within the meaning of Article 22, paragraph one, GDPR, if the result of this automated processing is decisive for a specific - further - decision insofar as the actions of the third party are "significantly guided" by the profiling in question and thus significantly affect the person concerned. It is already clear from the content of the first question referred that the actions of the third party to whom the probability value is transmitted are "significantly" guided by this value. According to the findings of fact of the referring court, in the case of a credit application submitted by a consumer to a bank, an insufficient probability value leads in almost all cases to the bank refusing to grant the requested credit.
In the present case, the responsible party, in its capacity as a credit agency, assigned a credit rating - sometimes with sufficiently negative connotations - to the party involved in the complainant's system, all without the person concerned ever having shown negative payment behavior. The fact that the complainant's legal representative confirmed in his email of November 15, 2021 that no negative payment experience data on the person concerned had been included in the credit score concerning him cannot change this legal classification. The probability value (credit score) transmitted by the complainant to XXXX was indisputably the decisive criterion for the fact that the person concerned was refused a contract by XXXX and the behavior of XXXX was thus largely guided by automated decision-making. In the present case, the controller, in its capacity as a credit agency, assigned the party involved a credit rating - sometimes with sufficiently negative connotations - in the complainant's system, all without the person concerned ever having shown negative payment behavior. The fact that the complainant's legal representative confirmed in his email of November 15, 2021 that no negative payment experience data on the person concerned had been included in the credit score concerning him cannot change this legal classification. The probability value (credit score) transmitted by the complainant to roman XXXX was indisputably the decisive criterion for the person concerned being refused a contract by roman XXXX and the conduct of roman XXXX was therefore largely guided by automated decision-making.
In the present case, the determination of the "credit score" of the person concerned, which was ultimately decisive for the refusal to conclude a contract with the energy supplier, was therefore to be classified as a decision that "has legal effects on a person concerned or significantly affects them in a similar way" within the meaning of Article 22 paragraph 1 of the GDPR. In the present case, the determination of the "credit score" of the person concerned, which was ultimately decisive for the refusal to conclude a contract with the energy supplier, was therefore to be classified as a decision that "has legal effects on a person concerned or significantly affects them in a similar way" within the meaning of Article 22 paragraph 1 of the GDPR.
The complainant's legal opinion that it only carries out a creditworthiness calculation itself, while any further decision is made by the respective recipients of the creditworthiness reports it has prepared, i.e. the contractual partners and customers of the responsible party, in this case an energy supplier, and that a decision - of whatever kind - based on the calculation of the "credit score" is therefore not anticipated by the responsible party as a credit agency, does not hold water from a legal point of view. As the ECJ explicitly stated in the decision presented above, there would be a risk of circumvention of Art. 22 GDPR and consequently a gap in legal protection if preference were given to a narrow interpretation of the provision, according to which the determination of the probability value should only be regarded as a preparatory act, which is why, in the specific case, there is undoubtedly automatic decision-making within the meaning of Art. 22 (1) GDPR. The complainant's legal opinion that it only carries out a creditworthiness calculation itself, while any further decision is made by the respective recipients of the creditworthiness reports it has prepared, i.e. the contractual partners and customers of the responsible party, in this case an energy supplier, and that a decision - of whatever kind - based on the calculation of the "credit score" is therefore not anticipated by the responsible party as a credit agency, does not hold water from a legal point of view. As the ECJ explicitly stated in the decision presented above, there would be a risk of circumventing Article 22 of the GDPR and consequently a gap in legal protection if a narrow interpretation of the provision, according to which the determination of the probability value should only be regarded as a preparatory act, were given preference, which is why, in this case, there is undoubtedly automatic decision-making within the meaning of Article 22, paragraph 1, of the GDPR.
However, if a decision based solely on automated processing is permissible pursuant to Article 22(2) GDPR, such processing must also meet the requirements of Articles 5 and 6 of this Regulation. However, if a decision based solely on automated processing is permissible pursuant to Article 22(2) GDPR, such processing must also meet the requirements of Articles 5 and 6 of this Regulation.
II.3.1.5.3. First of all, it had to be examined whether one of the exceptions in Article 22(2) GDPR came into play in the present case: Roman II.3.1.5.3. First of all, it was therefore necessary to examine whether one of the exceptions in Article 22, Paragraph 2, GDPR applies in the present case:
As far as the requirements of Article 22, Paragraph 2, GDPR are concerned, it cannot be said in the specific case that the decision was necessary for the conclusion or performance of a contract between the data subject, i.e. the party involved, and the controller, i.e. the complainant, within the meaning of Article 22, Paragraph 1, Letter a, GDPR. There are also no legal provisions in national law that contain "appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject", as required by Article 22, Paragraph 1, Letter b, GDPR. In this context, it should be expressly stated that Section 152 of the Trade Regulations 1994 does not constitute such a legal basis. In the case at hand, with regard to the automated decision-making process at hand within the meaning of Article 22 Paragraph 1 GDPR, there is also no (express) consent from the party involved within the meaning of Article 22 Paragraph 1 Letter c GDPR. As far as the requirements of Article 22 Paragraph 2 GDPR are concerned, it cannot be said in this specific case that the decision was necessary for the conclusion or fulfillment of a contract between the data subject, i.e. the party involved, and the controller, i.e. the complainant, within the meaning of Article 22 Paragraph 1 Letter a, GDPR. Nor do national law contain any legal provisions containing “appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject”, as required by Article 22 Paragraph 1 Letter b, GDPR. In this context, it should be expressly noted that Paragraph 152 of the Trade Regulations 1994 does not constitute such a legal basis. In relation to the automated decision-making process in question within the meaning of Article 22, Paragraph 1, GDPR, there is also no (express) consent from the party involved within the meaning of Article 22, Paragraph 1, Letter c, GDPR.
As a result, in this specific case, a decision based exclusively on automated processing (creation of the "credit score") was not covered by Article 22, Paragraph 2, GDPR. As a result, in this specific case, a decision based exclusively on automated processing (creation of the "credit score") was not covered by Article 22, Paragraph 2, GDPR.
Overall, it was therefore to be noted that in the present case, a probability value based on personal data with regard to the ability of the party involved to fulfil future payment obligations was automatically created by a credit agency, namely the complainant as the data protection controller within the meaning of Art. 4(7) GDPR, and that the probability value calculated here was crucial in determining whether third parties (in this case: an energy supply company) would establish, implement or terminate a contractual relationship with this person, but the legal requirements for this were not met due to the lack of an exception under Art. 22(2) GDPR. Overall, it was therefore clear that in the present case a probability value based on personal data with regard to the ability of the party involved to fulfil future payment obligations was automatically created by a credit agency, namely the complainant as the data protection controller within the meaning of Article 4, paragraph 7, GDPR, and that the probability value calculated here was the key factor in determining whether third parties (in this case: an energy supply company) would establish, implement or terminate a contractual relationship with this person, but that the legal requirements for this were not met due to the lack of an exception under Article 22, paragraph 2, GDPR.
II.3.1.5.4. In addition, the above-mentioned decision of the Court of Justice of the European Union shows that in the case of profiling the controller is subject to further information obligations under Article 13, paragraph 2, letter f and Article 14, paragraph 2, letter g of GDPR, but has not complied with these in the present case. Roman II.3.1.5.4. In addition, the above-mentioned decision of the Court of Justice of the European Union shows that in the case of profiling, the controller is subject to further information obligations under Article 13, Paragraph 2, Letter f and Article 14, Paragraph 2, Letter g, GDPR, but has not complied with these in the present case.
Specifically, it follows from the aforementioned provisions of the GDPR that, in addition to the information pursuant to paragraph 1 leg. cit., the controller must provide the data subject with information at the time the data is collected as to the existence of automated decision-making, including profiling, in accordance with Art. 22 paragraph 1 and paragraph 4 GDPR and - at least in those cases - meaningful information about the logic involved, as well as the scope and the intended effects of such processing for the data subject.Specifically, it follows from the aforementioned provisions of the GDPR that, in addition to the information pursuant to paragraph 1 leg. cit., the controller must provide the data subject with information at the time the data is collected as to the existence of automated decision-making, including profiling, in accordance with Article 22 paragraph 1 and paragraph 4 GDPR and - at least in those cases - meaningful information about the logic involved, as well as the scope and the intended effects of such processing for the data subject.
II.3.1.5.5. However, the complainant did not adequately inform its contractual partners, i.e. those companies that enquired about the creditworthiness of the other party involved, in accordance with the requirements set out above, that automated decision-making, including profiling, was taking place in accordance with Art. 22 Paragraph 1 and Paragraph 4, that the "credit score" of the other party involved was calculated without any payment history data being available, and that the other party involved was therefore not given sufficient opportunity to present its point of view as a data subject to data protection law to a company inquiring about the creditworthiness. To do this, it would be necessary for the credit report to make it sufficiently clear that the credit score contained therein was calculated without any payment history data. In addition, no information was provided about the logic involved, as well as the scope and intended effects of such processing for the data subject.Roman II.3.1.5.5. However, the complainant did not adequately inform its contractual partners, i.e. those companies that requested the creditworthiness of the other party involved, in line with the requirements outlined above, that automated decision-making, including profiling, was taking place in accordance with Article 22, paragraph one and paragraph four, that the "credit score" of the other party involved was calculated without the existence of payment history data, and that the other party involved was therefore not given sufficient opportunity to present its position as a data subject to data protection law to a company that requested creditworthiness. To do this, it would be necessary for the credit report to make it sufficiently clear that the credit score contained therein was calculated without payment history data. In addition, no information was provided about the logic involved, the scope and the intended effects of such processing for the data subject.
Overall, the Senate therefore comes to the same conclusion as the authority concerned, apart from the fact that in the present case there was no exception under Article 22 paragraph 2 of the GDPR. As the person responsible for data protection, the complainant violated the principles of "lawfulness" and processing in "good faith" within the meaning of Article 5 paragraph 1 letter a of the GDPR when processing personal data to create probability statements ("credit score") on the creditworthiness of the person concerned. Overall, the Senate therefore comes to the same conclusion as the authority concerned, apart from the fact that in the present case there was no exception under Article 22 paragraph 2 of the GDPR. The complainant, as the person responsible for data protection, violated the principles of "lawfulness" and processing in "good faith" within the meaning of Article 5, Paragraph 1, Letter a, of the GDPR when processing personal data to create probability statements ("credit score") on the creditworthiness of the person concerned.
II.3.1.6. The authority concerned also ruled in point 1.b) of the contested decision that the person responsible had violated the principle of transparency because it had not explained to the person concerned in an understandable manner whether it was also processing the personal data of the other party involved, which it processed for the purpose of carrying out the business of providing credit information on credit relationships, for the purpose of carrying out the business of address publishers and direct marketing companies and the business of providing services in automatic data processing and information technology. Roman II.3.1.6. The authority concerned also stated in point 1.b) of the contested decision that the responsible party had violated the principle of transparency because it had not explained to the person concerned in a comprehensible manner whether it was also processing the personal data of the other party involved, which it processed for the purpose of operating the credit reporting business, for the purpose of operating the address publishing and direct marketing business and the business of providing services in automatic data processing and information technology.
From the point of view of the Senate, however, it is not understandable why this point was made, especially since any violation that might have occurred in this regard was not covered by the application initiating the proceedings.
From the complainant's statements of October 8, 2020 and April 28, 2021, it is also clear that the complainant's data is stored for the purpose of carrying out the trades in accordance with Section 151 (address publishers and direct marketing companies), Section 152 (credit reporting agencies) and Section 153 (automatic data processing and information technology services) of the Trade Regulations 1994 (GewO) for forwarding to the recipient group of the lending industry.From the complainant's statements of October 8, 2020 and April 28, 2021, it is also clear that the complainant's data is stored for the purpose of carrying out the trades in accordance with Section 151 (address publishers and direct marketing companies), Section 152 (credit reporting agencies) and Section 153 (automatic data processing and information technology services) of the Trade Regulations 1994 (GewO) stored for forwarding to the recipient group of the lending industry.
It was not clear to what extent the controller had violated the principle of transparency in this context.
The relevant ruling in the ruling of the contested decision therefore had to be omitted without replacement.
II.3.1.7. The same applies to ruling point 2. a) of the contested decision, with which the controller was instructed by the authority concerned to provide the person concerned with information within a period of eight weeks, under penalty of execution, as to whether it is intended to further process the personal data of the co-participating party, in addition to processing for the purposes of exercising the business of providing credit information, for the purposes of exercising the business of address publishers and direct marketing companies and the business of providing services in automatic data processing and information technology. Roman II.3.1.7. The same applies to point 2. a) of the contested decision, in which the responsible party was instructed by the authority concerned to provide the person concerned with information within a period of eight weeks, under penalty of execution, as to whether it is intended to further process the personal data of the co-participating party in addition to processing it for the purpose of carrying out the business of providing information on credit relationships, for the purposes of carrying out the business of address publishers and direct marketing companies and the business of providing services in automatic data processing and information technology.
II.3.1.8. The data protection authority also came to the conclusion that the complainant had violated the co-participating party's right to confidentiality by unlawfully processing the co-participating party's data. Roman II.3.1.8. The data protection authority also came to the conclusion that the complainant had violated the co-participating party's right to confidentiality by unlawfully processing the co-participating party's data.
It should be noted that, contrary to the opinion of the authority concerned, the deciding senate does not assume that in the event of a violation of the principles for the processing of personal data set out in Article 5 of the GDPR in the context of a complaint pursuant to Article 77 of the GDPR and Section 24 of the DSG - apart from cases of an application explicitly directed solely to this effect - a ruling on a violation of the right to confidentiality pursuant to Section 1 Paragraph 1 of the DSG should also be denied.It should be noted that, contrary to the opinion of the authority concerned, the deciding senate does not assume that in the event of a violation of the principles for the processing of personal data set out in Article 5 of the GDPR in the context of a complaint pursuant to Article 77 of the GDPR and Section 24 of the DSG - apart from cases of an application explicitly directed solely to this effect - a ruling on a violation of the right to confidentiality pursuant to Paragraph 1, Paragraph 1 of the DSG should also be denied.
There is no legal requirement to necessarily rule out a uniform and inseparable decision on a data protection complaint that alleges both a violation of Section 1 Paragraph 1 of the Data Protection Act and violations of Article 5 Paragraph 1 of the GDPR. A violation of the right to confidentiality does not automatically constitute a violation of the GDPR in every case. Conversely, it cannot be ruled out that a violation of the GDPR asserted within the framework of Article 77 of the GDPR does not constitute a violation of the right to confidentiality under Section 1 Paragraph 1 of the Data Protection Act (cf. again VwGH of March 6, 2024, Ro 2021/04/0030, margin numbers 53 and 59). There is no legal requirement to necessarily rule out a uniform and inseparable decision on a data protection complaint that alleges both a violation of Paragraph 1, Paragraph 1 of the Data Protection Act and violations of Article 5, Paragraph 1 of the GDPR. A violation of the right to confidentiality does not automatically constitute a violation of the GDPR in every case. Conversely, it is also not excluded that a violation of the GDPR asserted within the framework of Article 77, GDPR does not constitute a violation of the right to confidentiality under paragraph one, subsection one, DSG (see again VwGH of March 6, 2024, Ro 2021/04/0030, paras. 53 and 59).
The co-involved party did not assert a violation of the right to confidentiality under Section 1, paragraph 1 DSG in its application initiating the proceedings. The co-involved party did not assert a violation of the right to confidentiality under paragraph one, subsection one, DSG in its application initiating the proceedings.
In addition, in the present case, an (additional) ruling on a violation of the right to confidentiality pursuant to Section 1 Paragraph 1 of the Data Protection Act does not appear to be necessary, since the legality of the data processing has already been conclusively agreed upon in point 1.a) of the contested decision. In this regard, reference is again made to the recent decision of the ECJ of December 7, 2023, OQ v Land Hessen, C‑634/21. The ruling point 1.c) of the contested decision therefore had to be omitted without replacement. In addition, in the present case constellation, an (additional) ruling on a violation of the right to confidentiality according to paragraph one, subsection one, DSG does not appear to be necessary, since the legality of the data processing has already been conclusively agreed in ruling point 1.a) of the contested decision. In this regard, reference is again made to the recent decision of the ECJ of December 7, 2023, OQ / Land Hessen, C‑634/21. The ruling point 1.c) of the contested decision therefore had to be omitted without replacement.
II.3.1.9. On the right to information under Art. 15 GDPR: As regards the alleged violation of the right to information under Art. 15 GDPR in view of the fact that the controller did not provide the party involved (and data subject) with complete data information until the procedure was concluded, the relevant legal findings of the authority concerned had to be followed. Roman II.3.1.9. On the right to information under Article 15 GDPR: As regards the alleged violation of the right to information under Article 15 GDPR in view of the fact that the controller did not provide the party involved (and data subject) with complete data information until the procedure was concluded, the relevant legal findings of the authority concerned had to be followed.
II.3.1.9.1. Article 15(1)(h) of the GDPR states that the data subject has the right to obtain confirmation from the controller as to whether or not personal data concerning him or her are being processed. If this is the case, the data subject has the right to access these personal data, as well as to be informed as to the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4), as well as to be provided with meaningful information as to the logic involved, as well as the significance and envisaged consequences of such processing for the data subject. Roman II.3.1.9.1. Article 15(1)(h) of the GDPR states that the data subject has the right to obtain confirmation from the controller as to whether or not personal data concerning him or her are being processed. If this is the case, the data subject has the right to information about these personal data and to information about the existence of automated decision-making, including profiling, in accordance with Article 22, paragraphs one and four, as well as meaningful information about the logic involved, as well as the scope and intended effects of such processing for the data subject.
The right to information under Art. 15 GDPR is generally intended to ensure that the data subject receives sufficient information about the specific processing in order to be able to assert their rights as a data subject. The right to information under Article 15 GDPR is generally intended to ensure that the data subject receives sufficient information about the specific processing in order to be able to assert their rights as a data subject.
II.3.1.9.2. The complainant (and controller within the meaning of Art. 4(7) GDPR) stated several times in the proceedings that no automated decision-making within the meaning of Art. 22 GDPR was taking place and that there was therefore no right to information in accordance with Art. 15(1)(h) GDPR. Roman II.3.1.9.2. The complainant (and controller within the meaning of Article 4, paragraph 7, GDPR) stated several times in the proceedings that no automated decision-making within the meaning of Article 22, GDPR takes place and therefore there is no right to information pursuant to Article 15, paragraph one, letter h, GDPR.
As already stated under II.3.1.5.1., it follows from the decision of the ECJ of December 7, 2023, OQ / Land Hessen, C‑634/21, that the calculation of the statistical probability of default, as carried out by the complainant, undoubtedly constitutes “profiling” within the meaning of Art. 22 GDPR, because it assesses the economic situation of the person concerned and makes a prediction about payment behavior. As already stated under Roman II.3.1.5.1. It follows from the decision of the ECJ of December 7, 2023, OQ / Land Hessen, C‑634/21, that the calculation of the statistical probability of default, as carried out by the complainant, undoubtedly constitutes “profiling” within the meaning of Article 22, GDPR, because it assesses the economic situation of the data subject and makes a prediction about payment behavior.
Since such “profiling”, as already stated, is expressly mentioned in Art. 15, paragraph 1, letter h, GDPR, this circumstance is subject to the right to information under this provision. Since such “profiling”, as already stated, is expressly mentioned in Article 15, paragraph one, letter h, GDPR, this circumstance is subject to the right to information under this provision.
II.3.1.9.3. In addition, the ECJ holds in its judgment above under II.3.1.5.1. The ECJ states in its decision presented above under Roman II.3.1.5.1 that the data subject has a right to information from the controller under Article 15 paragraph 1 letter h of the GDPR, which in particular concerns "meaningful information about the logic involved as well as the scope and intended effects of such processing for the data subject". Roman II.3.1.9.3. In addition, the ECJ states in its decision presented above under Roman II.3.1.5.1 that the data subject has a right to information from the controller under Article 15 paragraph 1 letter h of the GDPR, which in particular concerns "meaningful information about the logic involved as well as the scope and intended effects of such processing for the data subject".
In this specific case, the co-involved party repeatedly requested information pursuant to Article 15 paragraph 1 letter h of the GDPR.In this specific case, the co-involved party repeatedly requested information pursuant to Article 15 paragraph 1 letter h of the GDPR.
In this case, the co-involved party has repeatedly requested the complainant to provide sufficiently clear and complete information regarding the personal data processed; in particular with regard to the information underlying the "credit score", such as the basis on which the co-involved party's creditworthiness was assessed, what type of data was processed by the controller to determine it, what exact content it has and where it comes from. The information to be transmitted by the controller must therefore be of such granularity and traceability that it is possible for the co-involved party as the data subject to understand how they could improve their current "credit score".
II.3.1.9.4. In the case under review here, it was not possible for the party involved to check the legality of the data processing, especially since it had not yet received any concrete information on how the credit score assigned to it came about.Roman II.3.1.9.4. In the case under review here, it was not possible for the party involved to check the legality of the data processing, especially since it had not yet received any concrete information on how the credit score assigned to it came about.
In its response to the request for information dated October 8, 2020, the controller merely stated in general terms that the credit rating transmitted was calculated based on qualified payment defaults, age and place of residence of the person concerned, and it contains a general reference to the fact that data was obtained from publicly available sources, data from address publishers and information on payment experiences transmitted by a large number of corporate customers and over 60 debt collection partners.
As a result, the co-participating party requested the complainant by letter dated January 7, 2021 to provide sufficiently clear and complete information regarding the personal data processed; in particular with regard to the information underlying the "credit score", such as the basis on which the co-participating party's creditworthiness was assessed, what type of data was processed by the complainant to determine it, what exact content it has and where it comes from. In concrete terms, in the opinion of the deciding Senate, the information provided must be sufficiently comprehensive for the co-participating party to be able to understand the reasons for the credit assessment (in the present case, a "scoring value" between 550 and 574 points in the controller's system).
II.3.1.9.5. In its letter dated January 13, 2021, the controller then referred to the fact that there was no right to information within the meaning of Article 15 of the GDPR regarding the creation of the risk values determined, especially since this information was to be classified as a trade secret. Roman II.3.1.9.5. In its letter dated January 13, 2021, the controller then referred to the fact that there was no right to information within the meaning of Article 15 of the GDPR regarding the creation of the risk values determined, especially since this information was to be classified as a trade secret.
In its information statement of April 28, 2021, the complainant subsequently sent a current data extract to the co-involved party, which listed the personal data it had stored about the co-involved party, as well as the companies to which credit data on the co-involved party was passed on, and also the value transmitted to them. In addition, the complainant's data protection declaration was enclosed, which, among other things, shows the sources from which the personal data is collected.
The responsible party explained that it calculates the risk value, which for private individuals is on a scale of 250 to 750, from the information stored in its identity and credit database as well as from the information transmitted by the customer in the request to the complainant, with the decision on the significance of the credit score transmitted to a customer of the complainant then being made by the customer.
In addition, the person responsible once again argued that the complainant does not carry out automated decision-making within the meaning of Art. 22 GDPR and that for this reason alone there is no right to information. In addition, the information requested by the co-involved party is to be qualified as the complainant's trade secrets within the meaning of Section 4 Paragraph 6 DSG. In addition, the person responsible once again argued that the complainant does not carry out automated decision-making within the meaning of Article 22 GDPR and that for this reason alone there is no right to information. In addition, the information requested by the co-involved party is to be qualified as the complainant's trade secrets within the meaning of Section 4 Paragraph 6 DSG.
The complainant also subsequently repeatedly argued that the specific calculation formula constituted a trade secret.
II.3.1.9.6. According to Section 4, Paragraph 6 of the Data Protection Act, the right to information is generally excluded if providing this information would endanger a business or trade secret of the controller or a third party. Roman II.3.1.9.6. According to Section 4, Paragraph 6 of the Data Protection Act, the right to information is generally excluded if providing this information would endanger a business or trade secret of the controller or a third party.
However, this exception did not create an absolute right of refusal, but rather the controller must carefully weigh up in each individual case to what extent providing information actually affects a business or trade secret (cf. Jahnel, Commentary on the General Data Protection Regulation, Article 15 of the GDPR, paragraph 55). However, this exception does not create an absolute right of refusal, but rather the controller must carefully consider in each individual case to what extent the provision of information actually affects a business and trade secret (see Jahnel, Commentary on the General Data Protection Regulation Article 15, GDPR margin number 55).
II.3.1.9.7. If automated decision-making is given in an individual case according to Art. 22 Para. 1 and 4 GDPR, and the exceptions in Art. 22 Para. 2 GDPR do not apply, the data subject must also be informed of this when the information is provided. In addition, information must be provided about the logic involved and the scope and intended effects of such processing. When providing information to the data subject, the controller must describe the logic used in such a way that the data subject is informed about the parameters included in the assessment and can recognize which aspects of their person or behavior are used. The algorithm itself does not have to be disclosed. The term “logic involved” is to be understood in such a way that only the principle on which such a calculation is based is to be presented, not the concrete calculation formula (cf. Jahnel, Commentary on the General Data Protection Regulation Art. 15 GDPR Rz 32). Roman II.3.1.9.7. If automated decision-making is given in an individual case in accordance with Article 22, Paragraph 1 and 4 GDPR, and the exceptions in Article 22, Paragraph 2 GDPR do not apply, the data subject must also be informed of this when the information is provided. Information must also be provided on the logic involved as well as on the scope and intended effects of such processing. When providing information to the data subject, the controller must describe the logic used in such a way that the data subject is informed of the parameters included in the assessment and can recognize which aspects of their person or behavior are being used. The algorithm itself does not have to be disclosed. The term "logic involved" is to be understood in such a way that only the principle on which such a calculation is based is to be presented, but not the concrete calculation formula (see Jahnel, Commentary on the General Data Protection Regulation Article 15, GDPR, para. 32).
If the controller in the present case therefore objects that the concrete calculation formula represents a trade secret, it must be countered that the assertion of a trade secret cannot absolutely eliminate the right to information, since interference with the fundamental right to data protection must be limited to the absolutely necessary extent (see also the judgment of the ECJ of February 14, 2019, C-345/17, para. 64). If the controller in the present case therefore objects that the specific calculation formula represents a trade secret, it must be countered that the assertion of a trade secret cannot completely eliminate the right to information, since interference with the fundamental right to data protection must be limited to the absolutely necessary extent (see also the judgment of the ECJ of 14 February 2019, C-345/17, paragraph 64).
II.3.1.9.8. Like the authority concerned, the deciding Senate also takes the view that, notwithstanding the fact that the complainant's specific calculation formula represents a trade secret, the controller could have provided the other party involved with further information for calculating the "credit score" attributed to it, without the complainant having to disclose its trade secrets. Roman II.3.1.9.8. Like the authority concerned, the Senate hearing the case is of the opinion that, regardless of the fact that the specific calculation formula of the complainant is a trade secret, the responsible party could have provided the other party with further information on the calculation of the "credit score" attributed to it without the complainant having to disclose its trade secrets.
The information provided by the responsible party remained superficial and vague throughout the entire procedure; at no point did the responsible party explain the principle on which the calculation of the "credit score" of the person concerned is based.
The responsible party should, however, have presented and provided at least basic information with regard to the calculation of the credit score of the other party (person concerned).
II.3.1.9.9. In her appeal against the decision, the complainant repeatedly stated that both point 1. d) and point 2. b) of the contested decision were unlawful, especially since it was completely unclear what information the authority in question still considered to be required to be provided and the decision also did not indicate where the line was to be drawn between the trade secrets, which she also considered to be protected, and the "further information" that was to be provided. In this respect, the points of the decision were also not enforceable. All information to be provided was disclosed to the party involved by April 28, 2021 at the latest. Roman II.3.1.9.9. In her appeal against the decision, the complainant repeatedly stated that both point 1. d) and point 2. b) of the contested decision were unlawful, especially since it was completely unclear which information, in the opinion of the authority concerned, still had to be provided and the decision did not indicate where the line should be drawn between the trade secrets, which in her opinion were also protected, and the "further information" that had to be provided. In this respect, the points of the decision were also not enforceable. All information to be provided was disclosed to the party involved by April 28, 2021 at the latest.
As already stated, the Senate is of the opinion that the specific algorithm itself does not have to be disclosed by the person responsible, but the person responsible must provide information about the logic used in a form that shows the basic principles on which the calculation of the "scoring value" is based. The controller must inform the other party involved about the specific parameters used in the assessment so that they can see which precise aspects of their person or their behavior are being used.
As correctly stated by the authority concerned, nothing can be gained for the complainant's legal position from its argument that the provision of basic information [to create a "credit score"] would result in a competitive disadvantage compared to market competitors, especially since all market participants are subject to the same provisions of the GDPR.
II.3.1.9.10. Result: Against the background of the preceding considerations, it was stated that the complainant violated the other party's right to information by not providing it with sufficient information in accordance with Art. 15 Paragraph 1 Letter h of GDPR throughout the entire procedure. In this respect, it was to be stated in judgment point 1.b) that the complainant had violated the co-participating party's right to information by not providing sufficient information until the present proceedings had been concluded, and the complainant was rightly ordered to provide the person concerned with the relevant information within a period of eight weeks, otherwise execution would be carried out.Roman II.3.1.9.10. Result: Against the background of the preceding considerations, it was to be stated that the complainant had violated the co-participating party's right to information by not providing the person concerned with the relevant information throughout the entire proceedings in accordance with Article 15, paragraph one, letter h, GDPR. In this respect, it was to be stated in judgment point 1.b) that the complainant had violated the co-participating party's right to information by not providing sufficient information until the present proceedings had been concluded, and the complainant was rightly ordered to provide the person concerned with the relevant information within a period of eight weeks, otherwise execution would be carried out.
II.3.2. On the omission of an oral hearing: Roman II.3.2. On the omission of an oral hearing: Pursuant to Section 24 Paragraph 1 of the VwGVG, the administrative court must hold a public oral hearing upon request or, if it deems this necessary, of its own motion. Pursuant to Section 24 Paragraph 4 of the VwGVG, the administrative court may - unless federal or state law provides otherwise - refrain from holding a hearing regardless of a party's request if the files show that the oral discussion is not likely to clarify the legal matter further and neither Article 6 Paragraph 1 of the ECHR nor Article 47 of the Charter of Fundamental Rights prevent the hearing from being omitted. Pursuant to Section 24, Paragraph 1 of the VwGVG, the administrative court must hold a public oral hearing upon request or, if it deems this necessary, of its own motion. According to paragraph 24, paragraph 4, VwGVG, the administrative court may – unless otherwise provided by federal or state law – refrain from holding a hearing, notwithstanding a party’s request, if the files show that the oral discussion is not likely to lead to further clarification of the legal case, and neither Article 6, paragraph 1, ECHR nor Article 47, CFR preclude the omission of the hearing.
In the present case, the facts were clear from the files. The use of further evidence was not necessary to clarify the facts.
In this case, the Federal Administrative Court had to rule exclusively on a legal question (cf. ECHR 20.06.2013, Appl. No. 24510/06, Abdulgadirov/AZE, para. 34 ff.); this consisted, on a case-by-case basis, of the legal assessment of the processing of personal data for the purpose of determining and creating probability values for the payment behavior of individual data subjects in the form of a "credit score" as a form of automated decision-making within the meaning of Art. 22 Para. 1 GDPR. In this case, the Federal Administrative Court had to rule exclusively on a legal question (cf. ECHR 20.06.2013, Appl. No. 24510/06, Abdulgadirov/AZE, para. 34 ff.); this consisted, on a case-by-case basis, of the legal assessment of the processing of personal data for the purpose of determining and creating probability values for the payment behavior of individual data subjects in the form of a "credit score" as a form of automated decision-making within the meaning of Article 22, Paragraph one, GDPR.
It was therefore not necessary to hold an oral hearing on a case-by-case basis.
II.3.3. On point B) of the ruling - inadmissibility of the appeal: Roman II.3.3. On point B) of the ruling - inadmissibility of the appeal:
According to Section 25a, Paragraph 1 of the Administrative Court Act (VwGG), the administrative court must state in its ruling or decision whether the appeal is admissible in accordance with Article 133, Paragraph 4 of the Federal Constitutional Court Act (B-VG). The ruling must be briefly justified.According to Paragraph 25a, Paragraph one, VwGG, the administrative court must state in its ruling or decision whether the appeal is admissible in accordance with Article 133, Paragraph 4, Federal Constitutional Court Act (B-VG). The ruling must be briefly justified.
The appeal is not admissible according to Article 133, Paragraph 4 of the Federal Constitutional Court because the decision does not depend on the solution of a legal question of fundamental importance. The decision in question does not deviate from the previous case law of the Administrative Court, nor is there a lack of case law; furthermore, the present case law of the Administrative Court cannot be judged as inconsistent. There are also no other indications of a fundamental importance of the legal question to be resolved. The appeal is not admissible according to Article 133, Paragraph 4 of the Federal Constitutional Court because the decision does not depend on the solution of a legal question of fundamental importance. The decision in question does not deviate from the previous case law of the Administrative Court, nor is there a lack of case law; furthermore, the present case law of the Administrative Court cannot be judged as inconsistent. There are also no other indications of a fundamental importance of the legal question to be resolved.
On the question of the scope of the terms "automated decision-making, including profiling" within the meaning of Article 22 of the GDPR, the deciding Senate was able to rely in particular on the recent judgment of the Court of Justice of the European Union of December 7, 2023, OQ / Land Hessen, C-634/21. On the question of the scope of the terms "automated decision-making, including profiling" within the meaning of Article 22 of the GDPR, the deciding Senate was able to rely in particular on the recent judgment of the Court of Justice of the European Union of December 7, 2023, OQ / Land Hessen, C-634/21.
