BVwG - W176 2265088-1: Difference between revisions

From GDPRhub
(Created page with "{{COURTdecisionBOX |Jurisdiction=Austria |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=BVwG |Court_Original_Name=Bundesverwaltungsgericht |Court_English_Name=Federal Administrative Court |Court_With_Country=BVwG (Austria) |Case_Number_Name=W176 2265088-1 |ECLI= |Original_Source_Name_1=BVwG |Original_Source_Link_1=https://www.ris.bka.gv.at/Dokumente/Bvwg/BVWGT_20231006_W176_2265088_1_00/BVWGT_20231006_W176_2265088_1_00.pdf |Original_Source_Language_1=...")
 
No edit summary
 
(10 intermediate revisions by 4 users not shown)
Line 59: Line 59:
|Party_Link_2=
|Party_Link_2=


|Appeal_From_Body=DSB
|Appeal_From_Body=
|Appeal_From_Case_Number_Name=
|Appeal_From_Case_Number_Name=
|Appeal_From_Status=
|Appeal_From_Status=
Line 72: Line 72:
}}
}}


The BVwG reversed the decision of the DSB concerning the lawfulness of processing activities by a credit agency, stating that relevant payment history data of a data subject can be saved by the agency up to five years from the date of settlement of outstanding debts.
The Austrian Federal Administrative Court ''(Bundesverwaltungsgericht - BVwG'')  reversed the decision of the Austrian DPA (''Datenschutzbehörde - DSB'') concerning the lawfulness of processing activities by a credit agency, stating that relevant payment history data of a data subject could lawfully be saved by the agency up to five years from the date of settlement of outstanding debts.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
A data subject submitted a request to the controller, a credit agency, to delete personal data relating to her. The data in question referred to three sets of payment information data referring to debts in the amounts of around EUR 24, 35 and 1,000 which she had by now paid off.  
A data subject submitted a request to the controller, a credit agency, to delete personal data relating to her. The data in question referred to three debts in the amounts of around €24, €35 and €1,000 which she had paid off by the time the complaint was filed.  
The controller responded that it would not delete such data and submitted that its processing activities relate to credit data which is relevant for establishing creditworthiness of data subjects on the basis of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], as it had a legitimate interest to provide its contractual partners whose activities entail a credit risk, with accurate credit data. For these third parties it is essential to consult the database provided by the controller, in order to be able to assess the payment behavior of their own potential contractual partners. The controller claimed that it is important to keep data relating to, among others, unpaid bills in their database, as they significantly increases the chances of future default and thus constitutes relevant credit data. For the sake of accuracy under [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]], the controller also submitted that it is important to keep records of debts that have been paid off, in fact, if the controller were to delete data relating to already settled debts of the data subject, this would create a distorted picture of her creditworthiness. In this case, the data subject had been sent several reminders by creditors before she actually settled her debts, whereby the creditors had to put debt recovery measures in place and suffered temporary damages from the unpaid bills. In the present case, the debts had been settled in 2019 and 2020, after being left unpaid for about three years.
 
The controller responded that it would not delete such data and submitted that its processing activities relate to credit data which is relevant for establishing creditworthiness of data subjects on the basis of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], as it has a legitimate interest to provide third parties, whose activities entail a credit risk, with accurate credit data. For these third parties it is essential to consult the database provided by the controller, in order to be able to assess the payment behavior of their potential contractual partners, such as the data subject in this case. The controller claimed that it is important to keep data relating to, among others, unpaid bills in their database, as they significantly increase the chances of future default and thus constitute relevant credit data.  
 
For the sake of accuracy under [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]], the controller submitted that it is important to also keep records of debts that have been paid off, in fact, if the controller were to delete data relating to already settled debts of the data subject, this would create a distorted picture of her creditworthiness. In this case, the data subject had been sent several reminders by creditors before she actually settled her debts, whereby the creditors had to put debt recovery measures in place and suffered temporary damages from the unpaid bills. In the present case, the debts had been settled in 2019 and 2020, after being left unpaid for about three years.
 
On 5 August 2022, the data subject brought a complaint with the DSB following the refusal by the controller to delete credit data relating to her, claiming also that the controller failed to inform her that data relating to her credit history were being saved for up to five years. Further, she claimed that such data processing had a negative impact on her as she was not granted a loan that she needed in order to start her own business.  
On 5 August 2022, the data subject brought a complaint with the DSB following the refusal by the controller to delete credit data relating to her, claiming also that the controller failed to inform her that data relating to her credit history were being saved for up to five years. Further, she claimed that such data processing had a negative impact on her as she was not granted a loan that she needed in order to start her own business.  
The DSB decided on the case on 8 November 2022, stating that, since it could not be established that the controller had sufficiently informed the data subject about the processing of her personal data relating to the three debts referred to above. In the DSB’s view, the controller failed to provide the DSB with evidence that the data subject was informed about the collection of credit data about her, despite being asked to and this goes against [[Article 5 GDPR#2|Article 5(2) GDPR]]. As a consequence, the DSB held the processing activities of the complainant’s personal data by the controller to be unlawful as it did not constitute “transparent processing in good faith” under [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and ordered the controller to delete her data according to [[Article 17 GDPR|Article 17 GDPR]] within two weeks.  
 
The controller appealed the decision before the BVwG, claiming that a mere violation of [[Article 12 GDPR|Article 12 GDPR]] (and following Articles) does not imply unlawful processing activities and that an obligation to delete personal data cannot exclude any exceptions, since for instance under Article 17(1)(d), even upon withdrawal of consent, personal data about a data subject can continue to be processed given a valid legal basis.
The DSB decided on the case on 8 November 2022, stating that it could not be established that the controller had sufficiently informed the data subject about the processing of her personal data relating to the three debts referred to above. In the DSB’s view, the controller failed to provide the DSB with evidence that the data subject was informed, despite being asked to and thus acted in violation of its information duties derived from [[Article 5 GDPR#2|Article 5(2) GDPR]]. As a consequence, the DSB held the processing of the complainant’s personal data by the controller to be unlawful as it did not constitute “transparent processing in good faith” under [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and ordered the controller to delete her data according to [[Article 17 GDPR]] within two weeks.  
 
The controller appealed the decision before the BVwG, claiming that a mere violation of [[Article 12 GDPR]], [[Article 13 GDPR]] or [[Article 14 GDPR]] cannot imply unlawful processing activities and that an obligation to delete personal data cannot exclude any exceptions, bringing the example that under Article 17(1)(d), even upon withdrawal of consent, personal data about a data subject can continue to be processed given a valid legal basis.


=== Holding ===
=== Holding ===
The BVwG first assessed the legality of processing of payment history data by the controller. The DSB held that the concept of good faith, as relied upon by the DSB should be interpreted in light of the GDPR and this means it has to be understood as “fairly”. According to Rectial 47 GDPR, this also means that the reasonable expectations of the data subject have to be taken into account. In addition to this, the BVwG reiterated the importance of the principle of transparency of processing enshrined in [[Article 13 GDPR|Article 13 GDPR]] and [[Article 14 GDPR|Article 14 GDPR]] and the obligation to provide information under article 12. After obtaining relevant information by the controller, the BVwG came to the conclusion that the data subject had been duly informed about the fact that her data would be used for credit-ranking purposes and on the basis of that the data subject also had the possibility to access the privacy policy of the controller and obtain information about the scope, aims, categories and legal basis of processing as well as categories and sources of data being processed. It could thus not be held that the controller violated [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]. In this regard, the BVwG added that compliance with [[Article 14 GDPR|Article 14 GDPR]] cannot be considered as a ground for establishing the lawfulness of processing under [[Article 6 GDPR#1|Article 6(1) GDPR]].   
The BVwG first assessed the legality of processing of payment history data by the controller. The DSB held that the concept of good faith, as relied upon by the DSB should be interpreted in light of the GDPR and this means it has to be understood as “fairly”. According to [[Recitals GDPR|Recital 47 GDPR]], this also means that the reasonable expectations of the data subject have to be taken into account. In addition to this, the BVwG reiterated the importance of the principle of transparency of processing enshrined in [[Article 13 GDPR|Article 13 GDPR]] and [[Article 14 GDPR|Article 14 GDPR]] and the obligation to provide information under [[Article 12 GDPR]]. After finally obtaining relevant information by the controller, the BVwG came to the conclusion that the data subject had been duly informed about the fact that her data would be used for credit-ranking purposes and on top of this, the data subject also had access to the privacy policy of the controller and could obtain more information about processing. It could thus not be held that the controller violated [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]. In this regard, the BVwG added that compliance with [[Article 14 GDPR|Article 14 GDPR]] cannot be considered as a ground for establishing the lawfulness of processing under [[Article 6 GDPR#1|Article 6(1) GDPR]].   
Moreover, the BVwG held that personal data should be deleted, upon request, when they are no longer necessary to fulfil the aims for which they were initially collected, if the processing is unlawful or in case of objection by the data subject. In this case, the BVwG noted that the lawfulness of processing depends on the balancing of interests under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. The BVwG’s balancing exercise took account of its previous case-law where it had been established that credit agencies have an interest in saving credit data about a data subject when this relates to settled debts for even up to five years, but this should be assessed on a case-by-case basis. In the case at hand, the BVwG found that, given the role played by the controller as a credit agency, it has an interest in providing potential creditors with payment history and default information about the data subject, so that they can calculate the risk for possible future defaults. This, the BVwG held, is a clear, unambiguous purpose, provided by law (§ 152 GewO).   
 
As regards the duration of processing, the BVwG found that the controller did have an interest to provide its contractual partners with sufficient information to calculate credit risks, and it is required by EU Law (here the BVwG quoted Regulation (EU) No 575/2013 on prudential requirements for credit institutions and investment firms) to take into account payment behavior of the data subject of at least the past five years. In the case at hand, the oldest piece of information on the data subject’s default was recorded four and a half years earlier. Further, the BVwG did not consider the amount of the debts of EUR 23 and 35 to be too low, as it reiterated that observing the data subject’s payment behavior is essential for the contractual partners of the controller and this may also include lower-amount debts.  
Moreover, the BVwG held that personal data should be deleted according to [[Article 17 GDPR]], upon request, when they are no longer necessary to fulfil the aims for which they were initially collected, if the processing is unlawful or in case of objection by the data subject. In this case, the BVwG noted that the lawfulness of processing depends on the balancing of interests under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. The BVwG’s balancing exercise took account of its previous case-law where it had been established that credit agencies have an interest in saving credit data about a data subject when this relates to settled debts for even up to five years, but this should be assessed on a case-by-case basis. In the case at hand, the BVwG found that, given the role played by the controller as a credit agency, it has an interest in providing potential creditors with payment history and default information about the data subject, so that they can calculate the risk for possible future defaults. This, the BVwG held, is a clear, unambiguous purpose, provided by law ([https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10007517 § 152 GewO]).   
 
As regards the duration of processing, the BVwG found that the controller did have an interest to provide its contractual partners with sufficient information to calculate credit risks, and it is required by EU Law (here the BVwG quoted [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32013R0575 Regulation (EU) No 575/2013 on prudential requirements for credit institutions and investment firms]) to take into account payment behavior of the data subject of at least the past five years. In the case at hand, the oldest piece of information on the data subject’s default was recorded four and a half years earlier. Further, the BVwG did not consider the amount of the debts of €23 and €35 to be too low, as it reiterated that observing the data subject’s payment behavior is essential for the contractual partners of the controller and this may also include lower-amount debts.  
 
Against this background, the BVwG held that the rights and interests of the data subject not to be economically disadvantaged from the processing, did not override those of the controller, which makes the processing lawful under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. The BVwG thus held that the initial complaint with the DSB should have been dismissed as unfounded.
Against this background, the BVwG held that the rights and interests of the data subject not to be economically disadvantaged from the processing, did not override those of the controller, which makes the processing lawful under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. The BVwG thus held that the initial complaint with the DSB should have been dismissed as unfounded.


== Comment ==
== Comment ==
This judgment sheds light on the interesting relation (or lack thereof) between the failure to provide information to a data subject and the lawfulness of processing. The BVwG's jurisprudence seems to confirm the idea that a "mere" violation of Articles 12, 13 or 14 cannot constitute a valid ground for considering the whole processing activities unlawful. Yet, it must be reiterated that, as quoted in the DSB decision in this case, even the CJEU in case C-201/14, held that there is a strong correlation between Articles 13 and 14 GDPR and [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], as the provision of information to data subjects is essential in allowing them to exercise theri rights.
This judgment sheds light on the interesting relation (or lack thereof) between the failure to provide information to a data subject and the lawfulness of processing. The BVwG's jurisprudence seems to confirm the idea that a "mere" violation of Articles 12, 13 or 14 cannot constitute a valid ground for considering the whole processing activities unlawful. Yet, it must be reiterated that, as quoted in the DSB decision in this case, even the CJEU in case [[CJEU - C-201/14 - Smaranda Bara|C-201/14]], held that there is a strong correlation between Articles 13 and 14 GDPR and [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], as the provision of information to data subjects is essential in allowing them to exercise their rights.


== Further Resources ==
== Further Resources ==

Latest revision as of 15:09, 25 October 2023

BVwG - W176 2265088-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 5(1)(a) GDPR
Article 6(1) GDPR
Article 6(1)(f) GDPR
Article 12 GDPR
Article 13 GDPR
Article 14 GDPR
Article 17 GDPR
Decided: 06.10.2023
Published: 20.10.2023
Parties:
National Case Number/Name: W176 2265088-1
European Case Law Identifier:
Appeal from:
Appeal to:
Original Language(s): German
Original Source: BVwG (in German)
Initial Contributor: co

The Austrian Federal Administrative Court (Bundesverwaltungsgericht - BVwG) reversed the decision of the Austrian DPA (Datenschutzbehörde - DSB) concerning the lawfulness of processing activities by a credit agency, stating that relevant payment history data of a data subject could lawfully be saved by the agency up to five years from the date of settlement of outstanding debts.

English Summary

Facts

A data subject submitted a request to the controller, a credit agency, to delete personal data relating to her. The data in question referred to three debts in the amounts of around €24, €35 and €1,000 which she had paid off by the time the complaint was filed.

The controller responded that it would not delete such data and submitted that its processing activities relate to credit data which is relevant for establishing creditworthiness of data subjects on the basis of Article 6(1)(f) GDPR, as it has a legitimate interest to provide third parties, whose activities entail a credit risk, with accurate credit data. For these third parties it is essential to consult the database provided by the controller, in order to be able to assess the payment behavior of their potential contractual partners, such as the data subject in this case. The controller claimed that it is important to keep data relating to, among others, unpaid bills in their database, as they significantly increase the chances of future default and thus constitute relevant credit data.

For the sake of accuracy under Article 5(1)(d) GDPR, the controller submitted that it is important to also keep records of debts that have been paid off, in fact, if the controller were to delete data relating to already settled debts of the data subject, this would create a distorted picture of her creditworthiness. In this case, the data subject had been sent several reminders by creditors before she actually settled her debts, whereby the creditors had to put debt recovery measures in place and suffered temporary damages from the unpaid bills. In the present case, the debts had been settled in 2019 and 2020, after being left unpaid for about three years.

On 5 August 2022, the data subject brought a complaint with the DSB following the refusal by the controller to delete credit data relating to her, claiming also that the controller failed to inform her that data relating to her credit history were being saved for up to five years. Further, she claimed that such data processing had a negative impact on her as she was not granted a loan that she needed in order to start her own business.

The DSB decided on the case on 8 November 2022, stating that it could not be established that the controller had sufficiently informed the data subject about the processing of her personal data relating to the three debts referred to above. In the DSB’s view, the controller failed to provide the DSB with evidence that the data subject was informed, despite being asked to and thus acted in violation of its information duties derived from Article 5(2) GDPR. As a consequence, the DSB held the processing of the complainant’s personal data by the controller to be unlawful as it did not constitute “transparent processing in good faith” under Article 5(1)(a) GDPR and ordered the controller to delete her data according to Article 17 GDPR within two weeks.

The controller appealed the decision before the BVwG, claiming that a mere violation of Article 12 GDPR, Article 13 GDPR or Article 14 GDPR cannot imply unlawful processing activities and that an obligation to delete personal data cannot exclude any exceptions, bringing the example that under Article 17(1)(d), even upon withdrawal of consent, personal data about a data subject can continue to be processed given a valid legal basis.

Holding

The BVwG first assessed the legality of processing of payment history data by the controller. The DSB held that the concept of good faith, as relied upon by the DSB should be interpreted in light of the GDPR and this means it has to be understood as “fairly”. According to Recital 47 GDPR, this also means that the reasonable expectations of the data subject have to be taken into account. In addition to this, the BVwG reiterated the importance of the principle of transparency of processing enshrined in Article 13 GDPR and Article 14 GDPR and the obligation to provide information under Article 12 GDPR. After finally obtaining relevant information by the controller, the BVwG came to the conclusion that the data subject had been duly informed about the fact that her data would be used for credit-ranking purposes and on top of this, the data subject also had access to the privacy policy of the controller and could obtain more information about processing. It could thus not be held that the controller violated Article 5(1)(a) GDPR. In this regard, the BVwG added that compliance with Article 14 GDPR cannot be considered as a ground for establishing the lawfulness of processing under Article 6(1) GDPR.

Moreover, the BVwG held that personal data should be deleted according to Article 17 GDPR, upon request, when they are no longer necessary to fulfil the aims for which they were initially collected, if the processing is unlawful or in case of objection by the data subject. In this case, the BVwG noted that the lawfulness of processing depends on the balancing of interests under Article 6(1)(f) GDPR. The BVwG’s balancing exercise took account of its previous case-law where it had been established that credit agencies have an interest in saving credit data about a data subject when this relates to settled debts for even up to five years, but this should be assessed on a case-by-case basis. In the case at hand, the BVwG found that, given the role played by the controller as a credit agency, it has an interest in providing potential creditors with payment history and default information about the data subject, so that they can calculate the risk for possible future defaults. This, the BVwG held, is a clear, unambiguous purpose, provided by law (§ 152 GewO).

As regards the duration of processing, the BVwG found that the controller did have an interest to provide its contractual partners with sufficient information to calculate credit risks, and it is required by EU Law (here the BVwG quoted Regulation (EU) No 575/2013 on prudential requirements for credit institutions and investment firms) to take into account payment behavior of the data subject of at least the past five years. In the case at hand, the oldest piece of information on the data subject’s default was recorded four and a half years earlier. Further, the BVwG did not consider the amount of the debts of €23 and €35 to be too low, as it reiterated that observing the data subject’s payment behavior is essential for the contractual partners of the controller and this may also include lower-amount debts.

Against this background, the BVwG held that the rights and interests of the data subject not to be economically disadvantaged from the processing, did not override those of the controller, which makes the processing lawful under Article 6(1)(f) GDPR. The BVwG thus held that the initial complaint with the DSB should have been dismissed as unfounded.

Comment

This judgment sheds light on the interesting relation (or lack thereof) between the failure to provide information to a data subject and the lawfulness of processing. The BVwG's jurisprudence seems to confirm the idea that a "mere" violation of Articles 12, 13 or 14 cannot constitute a valid ground for considering the whole processing activities unlawful. Yet, it must be reiterated that, as quoted in the DSB decision in this case, even the CJEU in case C-201/14, held that there is a strong correlation between Articles 13 and 14 GDPR and Article 5(1)(a) GDPR, as the provision of information to data subjects is essential in allowing them to exercise their rights.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Page not found! (404)

Unfortunately, the requested page could not be found. Please try the following to get to the desired page:

Follow the link to the homepage and navigate to the desired page using the menu structure.

If you entered the URL in the address bar by hand, check it to make sure there are no typos.

We sincerely apologize for any inconvenience this may cause!

Page not found! (404)

The requested page could not be found. Please try one of the following to find the designated resource:

Follow the link to the home page and use the menu to find the link you are looking for.

If you have typed the page URL in the address bar, make sure that it is spelled correctly.

We are sorry for any possible inconvenience!