BVwG - W292 2247063-1/18E: Difference between revisions
From GDPRhub
m (added links) |
m (added another link) |
||
| Line 73: | Line 73: | ||
Revealing data on passed insolvency led to the data subject suffering damages as bank loans were made unavailable to him. In the particular circumstances of the data subject, the insolvency was caused due to guaranty commitments rather than his own actions. Any debt and guaranties were settled through the restructuring proceedings and all outstanding payments were made within a month. | Revealing data on passed insolvency led to the data subject suffering damages as bank loans were made unavailable to him. In the particular circumstances of the data subject, the insolvency was caused due to guaranty commitments rather than his own actions. Any debt and guaranties were settled through the restructuring proceedings and all outstanding payments were made within a month. | ||
The controller had violated the data subject’s right to privacy under Article 1(1) of the Austrian Data Protection Act as intermediately none of the requirements of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] were met for the publication of credit-limiting information. | The controller had violated the data subject’s right to privacy under [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597 Article 1(1) of the Austrian Data Protection Act] as intermediately none of the requirements of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] were met for the publication of credit-limiting information. | ||
The data subject later added that his right to rectification under [[Article 16 GDPR|Article 16 GDPR]], his right to erasure under [[Article 17 GDPR|Article 17 GDPR]] and his right to restriction under [[Article 18 GDPR|Article 18 GDPR]] had been violated. He further added that he is exercising his right to object under [[Article 21 GDPR|Article 21 GDPR]] due to violations of [[Article 6 GDPR|Article 6(1)(e) & (f) GDPR]]. The credit rating agency stored and made available negative entries for seven years after the insolvency proceedings had been wrapped up. | The data subject later added that his right to rectification under [[Article 16 GDPR|Article 16 GDPR]], his right to erasure under [[Article 17 GDPR|Article 17 GDPR]] and his right to restriction under [[Article 18 GDPR|Article 18 GDPR]] had been violated. He further added that he is exercising his right to object under [[Article 21 GDPR|Article 21 GDPR]] due to violations of [[Article 6 GDPR|Article 6(1)(e) & (f) GDPR]]. The data subject clarified that the credit rating agency stored and made available "negative entries" for seven years after the insolvency proceedings had been wrapped up. | ||
The DSB rejected the complaint on 16 August 2021 stating that the consideration of payment defaults in the recent past is necessary in order to portray a well-rounded profile of credit worthiness. The erasure from the insolvency register does not mean that this data must automatically be removed by credit rating agencies. | The DSB rejected the complaint on 16 August 2021 stating that the consideration of payment defaults in the recent past is necessary in order to portray a well-rounded profile of credit worthiness. The erasure from the insolvency register does not mean that this data must automatically be removed by credit rating agencies. | ||
Revision as of 14:40, 2 December 2024
| BVwG - W292 2247063-1/18E | |
|---|---|
 | |
| Court: | BVwG (Austria) |
| Jurisdiction: | Austria |
| Relevant Law: | Article 6(1)(f) GDPR Article 17 GDPR §1(1) DSG |
| Decided: | 05.11.2024 |
| Published: | 27.11.2024 |
| Parties: | |
| National Case Number/Name: | W292 2247063-1/18E |
| European Case Law Identifier: | ECLI:AT:BVWG:2024:W292.2247063.1.00 |
| Appeal from: | BVwG (AT) W274 2247063-1 |
| Appeal to: | |
| Original Language(s): | German |
| Original Source: | RIS (in German) |
| Initial Contributor: | ao |
A court held that a credit rating agency cannot rely on a legitimate interest to justify the retention of data on insolvency after this data has been deleted from the insolvency register.
English Summary
Facts
On the 16 December 2019, the data subject filed a complaint against the controller, a credit rating agency with the Austrian DPA (Datenschutzbehoerde – DSB). The data subject alleged that the controller stored data for an excessive period of time pending the termination of insolvency or restructuring proceedings.
Revealing data on passed insolvency led to the data subject suffering damages as bank loans were made unavailable to him. In the particular circumstances of the data subject, the insolvency was caused due to guaranty commitments rather than his own actions. Any debt and guaranties were settled through the restructuring proceedings and all outstanding payments were made within a month.
The controller had violated the data subject’s right to privacy under Article 1(1) of the Austrian Data Protection Act as intermediately none of the requirements of Article 6(1)(f) GDPR were met for the publication of credit-limiting information. The data subject later added that his right to rectification under Article 16 GDPR, his right to erasure under Article 17 GDPR and his right to restriction under Article 18 GDPR had been violated. He further added that he is exercising his right to object under Article 21 GDPR due to violations of Article 6(1)(e) & (f) GDPR. The data subject clarified that the credit rating agency stored and made available "negative entries" for seven years after the insolvency proceedings had been wrapped up.
The DSB rejected the complaint on 16 August 2021 stating that the consideration of payment defaults in the recent past is necessary in order to portray a well-rounded profile of credit worthiness. The erasure from the insolvency register does not mean that this data must automatically be removed by credit rating agencies.
The data subject appealed the decision to the Austrian Federal Administrative Court (Bundesverwaltungsgericht -BVwG) which rejected the claim on the 28 September 2022. The data subject appealed the decision of the court to the Supreme Administrative Court (Verwaltungsgerichtshof -VwGH). The VwGH repealed the decision of the BVwG with reference to the CJEU judgments C-26/22 and C-64/22 and held that the matter shall be reconsidered by a different department of the BVwG.
Holding
The court extracted that it had to determine whether the processing was lawful in two separate instances. Firstly, the processing of data after the data had been deleted from the public insolvency database. Secondly, the processing of data while this information was still publicly available through the insolvency database.
The court reiterated that:
Article 6(1)(f) GDPR sets out three requirements: 1 legitimate interest of the controller, 2 processing of personal data must be necessary to realise the legitimate interest and 3 the rights and freedoms of the data subject cannot outweigh this interest.
The court pointed to CJEU C-26/22 and C-64/22 and reiterated that these cases showed that credit rating agencies cannot store information longer than they are available in a public register if this is the source of the information. Further the Attorney General had highlighted that it is vital to enable data subjects to re-enter the economy after data has been deleted from the insolvency register and this would be jeopardised if the credit rating agency were to store insolvency data for an extensive period of time.
Therefore, the controller could not rely on Article 6(1)(f) GDPR after the data had been deleted from the insolvency register. The court concluded that the data should have been deleted by the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Postal address:
Erdbergstrasse 192 – 196
1030 Vienna
Tel: +43 1 601 49 – 0
Fax: + 43 1 711 23-889 15 41
Email: einlaufstelle@bvwg.gv.at
www.bvwg.gv.at
E N T C H E I D U N G S D A T U M
0 5 . 1 1 . 2 0 2 4
G E S C H A F T NUMBER
W 2 9 2 2 2 4 7 0 6 3 - 1 / 1 8 E
I M N A M E N D E R R E P U B L I K!
The Federal Administrative Court, through Judge Mag. Herwig ZACZEK as chairman
and the expert lay judges Mag. Mathias SCHACHNER and Mag. René BOGENDORFER
as assessors, has decided on the complaint of XXXX against the decision of the data protection authority
dated August 16, 2021, GZ. XXXX (co-participating party XXXX, formerly XXXX), in a closed session, rightly ruled:
A)
The complaint is partially upheld and the contested decision is amended with the proviso that the overall ruling should read as follows:
“The data protection complaint of XXXX (as “data subject” pursuant to Art. 4 Z 1 GDPR)
from XXXX , against XXXX , formerly XXXX (as controller pursuant to Art. 4 Z 7 GDPR),
for violation of the right to confidentiality, the right to erasure, the right to Objection, right to rectification and right to restriction of processing
is partially granted and it is determined as follows:
1. The responsible party has thereby violated the data subject’s fundamental right to
data protection according to Section 1 Paragraph 1 of the Data Protection Act by processing personal data for Affected party with regard to a debt settlement procedure concerning him for the
period from XXXX , in a private database operated by the responsible party as part of its commercial activity as a credit agency,
and made available to third parties at their request,
since processing of personal data is prohibited from the time at which - 2 -
access to the data in question Information in the insolvency file was no longer
granted, cannot be based on Art. 6 subparagraph 1 lit. f GDPR.
2. Otherwise, the complaint is dismissed as unfounded.
B)
The appeal is in accordance with Art. 133 para. 4 B-VG not permitted.
Reasons for the decision:
I. Procedure:
1. By email dated 16.12.2019, XXXX (hereinafter: complainant) contacted the
data protection authority (hereinafter: authority concerned) and, using a form from the authority concerned, lodged a complaint initially against XXXX, meaning XXXX, now XXXX (hereinafter: co-involved party) and, in summary, argued as follows: The co-involved party stored the data for far too long “after the insolvency or restructuring proceedings had been legally terminated”. The unjustified granting of access to historical data that was no longer relevant for the credit assessment caused the complainant to suffer significant damage by making it impossible for him to access bank loans. The creditors' protection association must automatically delete the negative entry after a reasonable period of no more than three years without any complaints, but in particular must comply with an individual request for deletion. In the specific case, the complainant did indeed have personal debts, but the restructuring proceedings were initiated solely because of guarantee obligations. All debts and guarantees were finally settled by the acceptance of the restructuring plan, and there were no further guarantees. The complainant did not give rise to a negative entry either before or after the restructuring proceedings. The restructuring proceedings was concluded on XXXX by the acceptance of the restructuring plan - 3 -
and the payments were made within one month thereafter.
In an email dated XXXX, the complainant further argued that the party involved
had violated his fundamental right to confidentiality pursuant to Section 1 Paragraph 1 of the Data Protection Act by
not having made any the conditions listed in Article 6 Paragraph 1 of the GDPR for a
credit-restricting publication are met.
In a submission dated XXXX, the complainant improved his data protection complaint
and stated that the complaint was directed against the violation of the fundamental right to
data protection pursuant to Section 1 of the Data Protection Act, the violation of the right to rectification pursuant to Art. 16 of the GDPR,
to erasure pursuant to Art. 17 of the GDPR and to restrict processing pursuant to Art. 18
GDPR and the complainant lodges an objection pursuant to Article 21 GDPR due to
violation of Art. 6 para. 1 lit. e and f GDPR. The complainant's rights have been violated because the party involved is on the warning list, WKE, economic database and
any other files store negative entries regarding creditworthiness in the case of other
debt-discharging payments for seven years and make them publicly available.
This seven-year period is too long and can no longer be justified since the GDPR came into force at the latest.
2. By decision of 16 August 2021, the authority concerned rejected the complainant's data protection complaint. The authority concerned justified this by stating that the entry made by the co-participating party regarding the insolvency in question was based on a file opened at the Regional Court for Civil Matters XXXX on XXXX regarding the appellant. restructuring proceedings. This was repealed on XXXX when the adopted restructuring plan became legally binding. The end of the payment period was set at XXXX. The purposes of the data processing and the database of the co-participating party consist of enabling those companies to access the data that are in the As part of their economic activity, they take on a credit risk, for example when delivering their goods or services. Taking into account payment defaults in the recent past is necessary in order to be able to provide complete information about the creditworthiness of a specific person. According to the authority concerned, deletion from the insolvency file does not automatically mean that this data must also be deleted from the creditworthiness database. Section 256 of the Insolvency Code does not mean that data on insolvencies can no longer be deleted on the basis of other authorisations under Art. 6
GDPR may be processed if they have been deleted from the insolvency file.
3. The complainant lodged an appeal against the decision of the authority concerned dated August 16, 2021, mentioned in the ruling, within the time limit.
4. The appeal against the decision of August 16. The complainant's complaint filed in 2021
was not upheld by the Federal Administrative Court's decision of September 28, 2022, regarding W274 2247063-1
5. The complainant lodged an appeal against this decision.
6. The Administrative Court overturned the decision of the Federal Administrative Court with
decision of 22.04.2024, No. Ro 2022/04/0038-9, due to the illegality of the content
with reference to the judgment of the ECJ of December 7, 2023 on C-26/22 and C-64/22.
7. The case in question was taken from the W274 judicial division on May 8, 2024 in accordance with the 2024 allocation of business and assigned to the W292 judicial division as new cases.
II. The Federal Administrative Court has considered:
II.1. Findings:
II.1.1. Regarding the co-involved party:
The co-involved party operates the business as a credit agency in accordance with Section 152 of the Trade Regulations 1994. The
XXXX, against which the complaint was directed in the application procedure of the authority concerned,
was merged into the company of XXXX by means of a merger agreement dated XXXX. The XXXX was deleted on XXXX. Due to the universal succession on the part of the co-involved party, the XXXX is now considered as the co-involved party in the judgment. party led.
II.1.2. For entry in the private credit database of the co-involved party:
In connection with its business, the co-involved party stores, among other things,
the following entry for the complainant in its credit database: - 5 -
" XXXX
Regional Court Z XXXX
Decision of: XXXX
Opening of the restructuring proceedings: XXXX , Registration deadline: XXXX
Insolvency administrator : XXXX and XXXX von Rechtsanwälten GmbH, represented by; XXXX
Decision of: XXXX - Opening of the restructuring proceedings: XXXX , Registration deadline:
XXXX
Decision of: XXXX - The company will continue to operate for an indefinite period.
Decision of XXXX - The restructuring plan adopted on XXXX is confirmed . Its
essential content is: The insolvency creditors received a total quota of XXXX
and a cash quota of XXXX% was to be distributed by the insolvency administrator within
XXXX days after the confirmation became legally binding and a further XXXX was to be paid within two years from
acceptance. The insolvency proceedings (bankruptcy proceedings or restructuring proceedings)
are repealed when this confirmation becomes legally binding. Decision of: XXXX – the
restructuring plan is legally confirmed. The restructuring proceedings are repealed.
Decision of: XXXX – The restructuring plan is legally confirmed. The
restructuring proceedings are repealed . End of payment period: XXXX “.The entry about the insolvency in question kept by the co-involved party in its creditworthiness database is based on the restructuring proceedings opened at the Regional Court for Civil Matters XXXX, AZ XXXX, on XXXX against the complainant. The restructuring proceedings mentioned were terminated on XXXX when the accepted restructuring plan became legally binding, and the end of the payment period was set at XXXX. The above-mentioned information about the complainant was made available to third parties for inspection and further processing by the co-involved party as part of its business as a credit agency for the purpose of assessing the creditworthiness of potential customer relationships. II.1.3. On the complainant's restructuring proceedings: In the restructuring proceedings opened at the Regional Court for Civil Matters XXXX, AZ XXXX, on XXXX against the complainant, the restructuring plan was accepted and confirmed on XXXX. The restructuring proceedings were terminated on XXXX when the restructuring plan became legally binding and the end of the payment period was set at XXXX. The total quota was set at XXXX percent in the restructuring plan. II.1.4. Regarding the decision of the Regional Court for Civil Matters XXXX of XXXX and of XXXX: - 6 - On XXXX, the complainant submitted an application pursuant to Section 256 Paragraph 3 IO and certified that the restructuring plan quotas had been paid. By decision of the Regional Court for Civil Matters XXXX of XXXX, upon the complainant's request, access to the insolvency file pursuant to Section 256 Paragraph 3 IO was no longer granted. By decision of the Regional Court for Civil Matters XXXX of XXXX, the deletion of all entries relating to the complainant's insolvency proceedings at XXXX was ordered in accordance with Section 77a Paragraph 1 IO at the companies specified in the decision. The main reasons given were that the restructuring plan had now been fully implemented, a resolution could be issued in accordance with Section 256 Paragraph 3 IO and the requirements for entering the deletions in the commercial register were now in place. II.1.5. Regarding the complainant's request for deletion from the co-involved party: On XXXX, the complainant requested that the co-involved party delete the restructuring procedure stored for him from the co-involved party's creditworthiness database. The co-involved party did not comply with the request for deletion. II.2. Assessment of evidence: II.2.1. Regarding II.1.1. (Regarding the co-involved party): The relevant finding is based on the unobjectionable content of the file and the co-involved party's commercial activity is publicly known. The fact that the co-involved party made the information in question about the complainant available to third parties is evident from the corporate purpose of the co-involved party, the statements of the parties that are consistent with this, and the official knowledge of the Federal Administrative Court in this regard. The co-involved party submitted a statement on XXXX through its lawyer and initially stated that XXXX, against which the complaint was directed in the application procedure before the authority concerned, had been merged into the XXXX company by means of a merger agreement dated XXXX. XXXX was deleted on XXXX. A correction of the party name is requested, the corporate purpose will now be continued in XXXX. The information provided by the co-involved party in this regard is unobjectionable. II.2.2. Regarding II.1.2. (Regarding storage in the creditworthiness database of the co-involved party):
The determination could be made based on the submissions of the co-involved party and the
complainant. - 7 -
II.2.3. On II.1.3. (Regarding the complainant's restructuring proceedings):
The findings result from the undisputed submissions of the
complainant and the co-involved party and are also consistent with the
statements of the Regional Court for Civil Matters XXXX in the decision
(restructuring plan confirmation) of XXXX .
II.2.4. On II.1.4. (Regarding the decision of the Regional Court for Civil Matters XXXX of XXXX
and of May 21, 2019):
The relevant findings are based on the decision of the Regional Court for
Civil Matters XXXX of XXXX to the number XXXX and of XXXX to the number XXXX .
II.2.5. On II.1.5. (On the complainant's request for deletion):
The findings are based on the letter from the complainant dated XXXX, which is undisputed in this respect and is included in the file.
II.3. Legal assessment:
According to Section 6 BVwGG, the Federal Administrative Court decides by a single judge, unless
federal or state laws provide for a decision by a senate.
As the subject of the complaint is a decision by the data protection authority,
the senate has jurisdiction in accordance with Section 27 DSG.
On ruling point A) - Partial grant of the complaint:
II.3.1.1. Applicable law
The relevant provisions of the Federal Law on the Protection of Natural Persons with regard to the Processing of Personal Data (Data Protection Act - DSG) as amended by Federal Law Gazette I No.
24/2018, read in extracts including the heading as follows:
"Fundamental right to data protection
§ 1. (1) Everyone has the right to keep personal data concerning him or her confidential, in particular with regard to respect for his or her private and
family life, insofar as there is a legitimate interest in doing so. The existence of such an
interest is excluded if data is not accessible to a confidentiality claim due to its general availability or
due to its lack of traceability to the person concerned.
(2)If the use of personal data is not in the vital interest of the data subject or with his consent, restrictions on the right to confidentiality are only permissible to protect the overriding legitimate interests of another person - 8 -, and in the case of interventions by a state authority only on the basis of laws that are necessary for the reasons stated in Article 8 paragraph 2 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), Federal Law Gazette No. 210/1958. Such laws may only provide for the use of data that are particularly worthy of protection by their nature to protect important public interests and must at the same time establish appropriate guarantees for the protection of the data subject's interests in confidentiality. Even in the case of permissible restrictions, the interference with the fundamental right may only be carried out in the mildest way that achieves the objective. […]“
“Complaint to the data protection authority
§ 24. (1) Every data subject has the right to lodge a complaint with the data protection authority if they believe that the processing of personal data concerning them violates the GDPR or § 1 or Article 2, Chapter 1.
(2) The complaint must contain:
1. the designation of the right deemed to have been violated,
2. as far as this is reasonable, the designation of the legal entity or body to which the alleged violation of law is attributed (respondent),
3. the facts from which the violation of law is derived,
4. the reasons on which the allegation of illegality is based,
5. the request to establish the alleged violation of law and
6. the information required to assess whether the complaint was submitted in time.
(3) A complaint must be accompanied, where appropriate, by the application on which it is based and any response from the respondent. In the event of a complaint, the data protection authority must provide further assistance at the request of the data subject. […]“
The relevant provisions of Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the
processing of personal data and on the free movement of such data, and repealing - 9 -
Directive 95/46/EC (General Data Protection Regulation) OJ L 119 of 4 May 2016, hereinafter: GDPR, read in extracts including the heading:
“Article 4
Definitions
For the purposes of this Regulation, the following terms shall apply:
(1) “personal data” means any information relating to an identified or
identifiable natural person (hereinafter “data subject”); a natural person is considered identifiable if he or she can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more special characteristics that express the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; (2) ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or linking, restriction, erasure or destruction; …
(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the
processing of personal data; where the purposes and means of such
processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
…
(10) ‘third party’ means a natural or legal person, public authority, agency or other
body, other than the data subject, controller, processor and - 10 -
persons authorised to process personal data under the direct authority of the controller or processor;
…
Article 5
Principles for the processing of personal data
(1) Personal data must
a) be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness, transparency’);
b) be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered incompatible with the original purposes in accordance with Article 89(1) (‘purpose limitation’);
c) be adequate, relevant and limited to what is necessary for the purposes of the processing (‘data minimisation’);
d) be accurate and, where necessary, kept up to date; all reasonable steps shall be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed; personal data may be stored for longer provided that the personal data are kept for longer, subject to the implementation of appropriate technicaland organisational measures required by this Regulation to protect the rights and freedoms of the data subject, processed solely for archiving purposes in the public interest or for scientific and historical research purposes or statistical purposes in accordance with Article 89(1) (‘storage limitation’);
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or - 11 -
unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures (‘integrity and confidentiality’);
(2) The controller shall be responsible for compliance with paragraph 1 and shall be able to demonstrate compliance (‘accountability’).
Article 6
Lawfulness of processing
(1) Processing shall be lawful only if at least one of the following
conditions is met:
a) the data subject has given consent to the processing of personal data concerning him or her for one or more specific purposes;
b) the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
[ … ]
f) the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their duties.
[ … ]”
(2) Member States may maintain or introduce more specific provisions to adapt the application
of the rules of this Regulation with regard to processing carried out to comply with points (c) and (e) of paragraph 1, by specifying more precisely specific requirements for
processing and other measures to ensure lawful and fair processing, including for other
specific processing situations as set out in Chapter IX.
(3) The legal basis for processing operations referred to in points (c) and (e) of paragraph 1 shall be
defined by - 12 -
(a) Union law, or
(b) Member State law to which the controller is subject.
The purpose of the processing must be specified in that legal basis or, as regards
processing referred to in point (e) of paragraph 1, it must be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This legal basis may contain specific provisions
adapting the application of the rules of this Regulation, including
provisions on the general conditions governing the
lawfulness of processing by the controller, the types of data
processed, the data subjects concerned, the entities to which and for which
purposes the personal data may be disclosed, the purpose limitation, the period for which they may be stored and the processing operations and
procedures that may be applied, including measures to ensure lawful and fair processing, such as those for other
specific processing situations referred to in Chapter IX. Union or Member State law must pursue an objective in the public interest and be
proportionate to the legitimate purpose pursued.
(4) Where processing for a purpose other than that for which the personal data were collected is not based on the consent of the data subject or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to protect the objectives referred to in Article 23(1), the controller shall, in order to determine whether processing for another purpose is compatible with that for which the personal data were initially collected, take into account, inter alia: (a) any link between the purposes for which the personal data were collected and the purposes of the intended further processing; (b) the context in which the personal data were collected, in particular as regards the relationship between the data subjects and the controller; (c) the nature of the personal data, in particular whether special categories of personal data are processed pursuant to Article 9 or whether personal data relating to criminal convictions and criminal offences referred to in Article 10
d) the possible consequences of the intended further processing for the data subjects, - 13 -
e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.
[…]"
Recital 47 of the GDPR states with regard to the permission in Article 6(1)(f):
"(47) The lawfulness of processing may be justified by the legitimate interests of a
controller, including a controller to whom the personal data may be disclosed, or of a third party, provided that the interests or
fundamental rights and freedoms of the data subject do not override them; in doing so, the
reasonable expectations of the data subjects based on their relationship with the
controller must be taken into account. A legitimate interest could, for example, exist if there is a relevant and appropriate relationship between the data subject and the controller, e.g. if the data subject is a customer of the controller or is in its service. In any case, the existence of a legitimate interest would have to be assessed particularly carefully, including whether a data subject could reasonably foresee, at the time the personal data were collected and in the light of the circumstances in which they were collected, that processing for that purpose might take place. In particular, if personal data are processed in situations where a data subject cannot reasonably expect further processing, the interests and fundamental rights of the data subject could override the interest of the controller. Since it is up to the legislator to create the legal basis for the processing of personal data by public authorities by law, this legal basis should not apply to processing by public authorities which carry out such processing in the performance of their tasks. The processing of personal data to the extent strictly necessary for the prevention of fraud also represents a legitimate interest of the respective controller. The processing of personal data for direct marketing purposes may be considered as processing carried out in a legitimate interest." Article 16 Right to rectification - 14 - The data subject has the right to obtain from the controller the immediate rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to request the completion of incomplete personal data, including by means of providing a supplementary statement.”
Article 17
Right to erasure (“right to be forgotten”)
(1) The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase personal data without undue delay where
one of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise
processed;
b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1) or point (a) of Article 9(2), and there is no other legal ground for the processing.
c) The data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2).
d) The personal data have been processed unlawfully.
e) The erasure of the personal data is necessary to comply with a legal obligation under Union or Member State law to which the controller is subject.
f) The personal data were collected in relation to information society services offered pursuant to Article 8(1).
(2) Where the controller has made the personal data public and is obliged to erase them pursuant to paragraph 1, the controller shall take appropriate measures, including technical ones, taking into account available technology and the cost of implementation, to inform data controllers which process the personal data that a data subject has requested the erasure by them of all links to those personal data or of copies or replications of those personal data.
(3) Paragraphs 1 and 2 shall not apply to the extent that processing is necessary - 15 -
a) for exercising the right to freedom of expression and information;
b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c) for reasons of public interest in the area of public health pursuant to
Article 9(2)(h) and (i) and Article 9(3);
(d) for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes pursuant to Article 89(1), insofar as the right referred to in
paragraph 1 is likely to make the achievement of the objectives of that processing
impossible or seriously compromises it; or
(e) for the establishment, exercise or defence of legal claims.
Article 18
Right to restriction of processing
(1) The data subject shall have the right to obtain from the controller restriction of
processing where one of the following applies:
a) the accuracy of the personal data is contested by the data subject,
for a period enabling the controller to verify the accuracy of the personal data,
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the controller no longer needs the personal data for the purposes of the processing, but the data subject needs them for the establishment, exercise or
defence of legal claims, or
d) the data subject has objected to processing pursuant to Article 21(1),
pending the verification whether the legitimate grounds of the controller
override those of the data subject.
(2) Where processing has been restricted pursuant to paragraph 1, such personal data shall, with the exception of storage, only be processed with the consent of the data subject or for the establishment, exercise or defence of legal claims or to protect the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
(3) A data subject who has obtained a restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction is lifted.
Article 21
Right to object
(1) The data subject shall have the right to object at any time, for reasons related to his or her particular situation, to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1); this also applies to profiling based on these provisions. The controller shall no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing serves to assert, exercise or defend legal claims. (2) If personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for the purposes of such advertising; this also applies to profiling insofar as it is related to such direct marketing. (3) If the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for these purposes. (4) The data subject must be expressly informed of the right referred to in paragraphs 1 and 2 at the latest at the time of the first communication with him or her; this notification must be made in an intelligible form and separate from other information. (5) In the context of the use of information society services, the data subject may, notwithstanding Directive 2002/58/EC, exercise his or her right of objection by means of automated procedures using technical specifications. (6) The data subject shall have the right to object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1), unless the processing is necessary for the performance of a task carried out in the public interest. Section 152 of the Trade Regulations 1994 (GewO 1994), Federal Law Gazette I No. 111/2002, reads with the heading: - 17 -
Credit reporting agencies – reads:
(1) Business operators who are authorized to operate credit reporting agencies are not authorized to provide information about private circumstances that are not related to creditworthiness.
(2) The business operators mentioned in paragraph 1 are obliged to keep their business correspondence and business records for seven years. The period of seven years runs from the end of the calendar year in which the correspondence took place or the last entry was made in the business record. In the event of termination of the
trade license, the correspondence and the business books must be destroyed, even
if the period of seven years has not yet elapsed.”
Section 256 of the Insolvency Code - IO, Federal Law Gazette I No. 122/2017, reads with the heading:
Insolvency file
(1) The edict file must contain the data that must be made public under this federal law (insolvency file).
(2) Access to the insolvency file is no longer permitted if one year has passed
since
1. the termination of the insolvency proceedings pursuant to Sections 123a, 123b and 139,
2. expiry of the payment period provided for in the restructuring plan if its fulfillment is not
monitored,
3. termination or cessation of monitoring of the restructuring plan,
4. expiry of the payment period provided for in the payment plan or
5. the premature cessation or termination of the debt collection procedure.
(3) At the request of the debtor, access to the insolvency file is no longer to be granted if the legally confirmed restructuring plan or payment plan has been fulfilled. The debtor must provide documentary evidence of fulfillment. The court can commission an expert to examine the fulfillment, the costs of which are to be borne by the debtor. The court decides on the access by means of an unappealable order. (4) Access to the entry of insolvency proceedings not opened due to a lack of assets to cover costs or due to lack of assets in accordance with Section 68 is no longer to be granted after three years after the entry.” - 18 - II.3.1.2. In the present case, it was necessary to examine whether the processing of information
personal data on the person concerned regarding a debt settlement procedure concerning him, in a private database operated by the person responsible as part of its
commercial activity as a credit agency, for the purpose of
viewing and passing on to third parties (customers of the person responsible) was lawful.
The legality check is to be related to two periods that are to be
assessed separately. In a first step, the
processing of the data in question is examined in relation to the period during
which the information regarding the restructuring procedure was no longer publicly published in the
insolvency database according to Section 256 IO. Under II.3.1.2.6., the
legality is then examined in relation to the period during which the information
on the person concerned's restructuring procedure was still publicly visible in the insolvency file.
II.3.1.2.1.According to Article 5(1)(a) of the GDPR, personal data must be processed lawfully, fairly and in a manner that is understandable to the data subject. In this context, Article 6(1)(1) of this Regulation contains an exhaustive and conclusive list of cases in which the processing of personal data can be considered lawful. Therefore, processing must be subsumable under one of the cases provided for in this provision in order to be considered lawful (see ECJ, judgment of 4 July 2023, C‑252/21, para. 90 and the case law cited therein). II.3.1.2.2.First of all, it should be noted that the processing of (credit-relevant) personal data in the context of the exercise of the trade according to Section 152 of the Trade Code 1994 (“credit reporting agencies”), as in the case of the co-participating party, can be based exclusively on the permission under Article 6 subparagraph 1 lit. f of the GDPR in terms of data protection law. According to this provision, the processing of personal data is only lawful if the processing is necessary to protect the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail, in particular if the data subject is a child (see ECJ, judgment of December 7, 2023, C-26/22, para. 74). Thus, the processing of personal data under this provision is lawful under three
cumulative conditions: First, a legitimate interest must be pursued by the controller or by a third party, - 19 -
Secondly, the processing of the personal data must be necessary to achieve the
legitimate interest, and thirdly, the interests or
fundamental rights and freedoms of the person whose data is to be protected must not
outweigh (cf. ECJ, judgment of July 4, 2023, C-252/21, para. 106 and the case law cited there).
Article 5 (1) (c) GDPR enshrines the principle of "data minimization", which
requires that personal data be "adequate and relevant to the purpose and limited to
what is necessary for the purposes of the processing".
Art. 6 (1) (f) GDPR requires three cumulative conditions for the admissibility of the processing of the creditworthiness-relevant information on the complainant in the creditworthiness database of the co-involved party as a credit agency: Firstly, the processing must be absolutely necessary to protect the legitimate interests of the controller or a third party, in the given context the economic interests in the commercial operations of the co-involved party itself or in obtaining information to assess the creditworthiness of potential borrowers, and secondly, the fundamental rights and freedoms of the data subject must not prevail.
With regard to Article 6 (1)(f) GDPR, the European Court of Justice has ruled that this
provision is to be interpreted as meaning that processing can only be regarded as necessary to safeguard the
legitimate interests of the controller or of a third party within the meaning of this
provision if this processing is carried out within the limits of what is
strictly necessary to achieve this legitimate interest and
if a balancing of the opposing interests, taking into account all relevant circumstances, shows that the interests or fundamental
rights and freedoms of the persons affected by the processing do not outweigh the legitimate
interest of the controller or of a third party (see in this sense the
judgments of the ECJ of May 4, 2017, C-13/16, and of July 4, 2023, C-252/21).
II.3.1.2.3.In this case, a negative entry was found in the creditworthiness database of the co-participating party regarding a restructuring procedure opened in XXXX at the Regional Court for Civil Matters XXXX under No. XXXX against the complainant, which was terminated in XXXX by the adoption of a restructuring plan, whereby the end of the payment period was set at XXXX. - 20 -
The duration of the public publication of the information in question on the complainant's restructuring procedure follows in the specific case from the provision of
Section 256 of the Insolvency Code (IO).
According to Section 256 Paragraph 2 No. 4 IO, access to the insolvency file is no longer to be granted if
one year has passed since the expiry of the payment period provided for in the payment plan. According to §
256 para. 3 IO, access to the insolvency file is no longer to be granted at the debtor's request if the legally confirmed restructuring plan or payment plan
has been fulfilled.
As stated, the end of the payment period was set at XXXX in the restructuring plan for the complainant's proceedings. In addition, the complainant requested in an application dated
XXXX that public access to the insolvency file should no longer be granted in accordance with § 256 para. 3 IO. By order of the Regional Court for Civil Matters XXXX dated XXXX,
the application was granted and access to the insolvency file was no longer granted in accordance with § 256 para. 3 IO, as the restructuring plan had been fulfilled.
The complainant subsequently requested on XXXX that the co-involved party delete the restructuring procedure stored on him from its (private) creditworthiness database, whereby the requested deletion was repeatedly rejected by the co-involved party, as stated.
In the light of the recent case law of the European Court of Justice presented above, it follows from all of this that the information in question on the complainant's restructuring procedure was no longer publicly accessible in the state insolvency file under Section 256 IO at the time when the complainant requested deletion from the co-involved party's database.
However, the co-involved party did not delete the entry in question from the co-involved party's creditworthiness database after XXXX, as stated.
II.3.1.2.4.By judgment of the ECJ of December 7, 2023, UF, AB / Land Hessen, C-26/22 and C-64/22,
the Court of Justice has ruled in relation to the practice of private credit reporting agencies, which consists in storing in their own databases information from a public register
on the granting of residual debt relief in favor of natural persons for the purpose of
providing information on the creditworthiness of these persons:
- Art. 5 (1) (a) GDPR in conjunction with Art. 6 (1) subparagraph. Article 17(1)(f) of the GDPR is to be interpreted as meaning that it precludes a practice by private credit reporting agencies which consists in storing in their own databases information on the granting of debt relief to natural persons - 21 -, taken from a public register, for the purpose of providing information on the creditworthiness of those persons for a period that goes beyond the storage period of the data in the public register; - Article 17(1)(c) of the GDPR is to be interpreted as meaning that the data subject has the right to obtain from the controller the immediate erasure of personal data concerning him or her if he or she objects to the processing pursuant to Article 21(1) of that regulation and there are no compelling legitimate grounds that exceptionally justify the processing in question; – Article 17(1)(d) GDPR is to be interpreted as meaning that the controller is obliged
to delete personal data that have been processed unlawfully without delay.
Questions 2 to 5, which were submitted to the Court of Justice of the European Union by order of the
Administrative Court of Wiesbaden of December 23, 2021, were similar to the legal question to be resolved in the
present proceedings and were therefore also prejudicial to the present proceedings.
As the Court of Justice of the European Union stated in the decision presented above,
the processing of data on the granting of a residual debt discharge by a credit agency constitutes a serious interference with the fundamental rights of the data subject enshrined in Articles
7 and 8 of the Charter [of Fundamental Rights of the European Union] (para. 94).
In this context, reference should also be made to the statements of the Advocate General in paragraph 75 of his Opinion, according to which the realisation of the objective of enabling the beneficiary to safely participate in economic life again is of existential importance and would be jeopardised if credit agencies were able to store data for the assessment of a person's economic situation beyond a discharge of residual debt and to use such data after it has been deleted from the public insolvency register (para. 98). The interests of the credit sector in having information regarding discharge of residual debt cannot therefore justify the processing of personal data after the expiry of the period for storing the data in the public insolvency register, so that the storage of this data by a credit agency in relation to this period after the deletion of this data from a public insolvency register cannot be based on Art. 6 para. 1 lit. f GDPR (para. 99). In the view of the ECJ, this would be equivalent to data retention without cause, which cannot be in the legitimate interest. This storage would not - 22 -
take place for a specific reason, but in the event that their contractual partners would request such information and this would lead to inadmissible data retention, especially if the data in question had already been deleted from the public register due to the expiry of the period.
II.3.1.2.5.The Administrative Court ruled in its decision of April 22, 2024 on Ro
2022/04/0038, referring to the ECJ judgment of December 7, 2023, C-26/22 and C-64/22,
SCHUFA Holding, that the storage of data by a credit agency in relation to
the period after the insolvency court's decision on the "deletion
of entries from the insolvency file" pursuant to Section 256 IO has become final cannot be based on Art. 6 Para. 1 lit. f GDPR. The storage of the data from the insolvency file relating to the debt settlement procedure by the credit agency beyond the point in time at which the insolvency court's decision has become final has therefore proven to be unlawful in the specific case.
II.3.1.2.6.In the light of the recent case law of the ECJ and the Administrative Court presented above, it was therefore necessary to establish, with regard to the facts to be assessed here, that the fact that the co-participating party processed (in this case: stored and made accessible) the creditworthiness data in question on the complainant, which came from the state insolvency file pursuant to Section 256 IO, over a period of time that went beyond the periods of public inspection of the insolvency file. However, since such processing cannot ultimately be based on Article 6 subparagraph 1 lit. f GDPR, the co-participating party thereby violated the complainant's right to confidentiality and the data in question on the complainant should in any case not have been stored for longer than in the public insolvency file. The co-participating party should therefore have complied with the complainant's request for deletion in this regard. II.3.1.2.7.On the processing of the information in question between XXXX and the
end of the public publication of this information in the insolvency database according to Section 256
IO:
In this regard, reference should first be made again to the statements of the European Court of Justice regarding
the period of processing in private credit databases during which the data in question
of the data subjects are (also) available in the public register (cf. in paragraph 100 of the
judgment of December 7, 2023):
“As regards the period of six months during which the data in question are also available in this
public register, it should be noted that the effects of storing this data in the databases of such
credit agencies in parallel to this period can be considered less serious than after the expiry of the
six months, but that this storage nevertheless constitutes an interference with the protection of personal data set out in Art. 7 and 8
of the Charter. In this respect, the Court has already ruled that
the presence of the same personal data in several sources increases the interference with the
right of the person to respect for private life (seeJudgment of 13 May 2014, Google Spain and Google, C‑131/12, EU:C:2014:317, paragraphs 86 and 87). It is for the referring court to weigh up the interests in question and the impact on the data subject in order to determine whether the parallel storage of this data by private credit agencies can be regarded as limited to what is strictly necessary, as required by the case-law of the Court cited in paragraph 88 of the present judgment.” In the case in point, the Senate found that the party involved, as a credit agency, processes data that is fundamentally necessary for assessing the creditworthiness of persons or companies in order to be able to make this information available to its contractual partners. This activity not only protects the economic
interests of companies that want to enter into credit-relevant contracts, the determination
of creditworthiness and the provision of credit reports also forms a foundation
of the credit system and the functioning of the economy, this activity
also makes it possible to realize the business wishes of those interested in credit-relevant transactions, since
the information enables a quick, valid and unbureaucratic check of the creditworthiness of potential
customers. Although a check of the creditworthiness of potential customers
of credit-relevant transactions would in principle also be conceivable in detail by the respective
company, by means of its own queries in the public insolvency file,
however, it seems hardly reasonable to obtain as complete a picture as possible of a customer's payment behavior by
individual queries on an ad hoc basis in economic life, which is why the
services of credit reporting agencies in the interest of the functioning of the economy,
credit-relevant transactions form a key part of essential economic sectors,
can be regarded as necessary within the meaning of Art. 6 subparagraph 1 lit. f GDPR.
In order to weigh up the economic interests of those responsible and their business partners in the processing of the information on the restructuring procedure of the person concerned, which is to be examined here, against his interests, fundamental rights and fundamental freedoms, the following had to be weighed up: In particular with regard to the number of creditors and the amount of the default on the claims that the complainant's creditors had to accept in the course of the restructuring procedure - 24 -, it was to be assumed that - with regard to the period of public publication of the information in the insolvency database according to Section 256 IO - the complainant's interest in his own economic advancement did not outweigh the economic interests of potential new creditors. This also applies with regard to the complainant's expectations, who could hardly assume that the information in question, as long as it was published in the insolvency file, would not be processed by credit agencies for the purpose of assessing creditworthiness. The processing of the information in question on the
complainant in the private credit database of the co-participating party was,
with regard to the period between XXXX and XXXX, covered by Art. 6 subparagraph 1 lit. f GDPR,
and was therefore lawful.
II.3.1.2.8.On the right to erasure and objection: As far as the complaint relates to the
right to erasure under Art. 17 GDPR and the right to object under Art. 21 GDPR,
it was noted that the information in question had already been deleted from the co-participating party’s database at the time of the decision,
a legal interest in this regard therefore ceased to exist, and the complaint in this regard
had to be dismissed.
II.3.1.2.9.As regards the assertion of a violation of the right to rectification under Art. 16 GDPR and the right to restrict processing pursuant to Art. 18 GDPR, the relevant statements of the authority concerned, according to which no corresponding application to the responsible party had been made, which meant that the complaint in this regard had to be rejected, had to be agreed with. II.3.2. On ruling point B) - Inadmissibility of the appeal: According to Section 25a Paragraph 1 VwGG, the administrative court must state in its ruling or decision whether the appeal is admissible pursuant to Art. 133 Paragraph 4 B-VG. The ruling must be briefly justified. The appeal is not admissible pursuant to Art. 133 Paragraph 4 B-VG because the decision does not depend on the solution of a legal question that has fundamental significance - going beyond the case in question. If the legal situation is clear and unambiguous according to the relevant standards, then there is no legal question of fundamental importance within the meaning of Article 133 Paragraph 4B-VG, even if the Administrative Court of Justice has not yet issued a ruling on an applicable standard (VwGH of September 11, 2020, Ra 2018/04/0157). - 25 - On the question of whether the storage of data from a private credit agency for a period that goes beyond the storage period of the data in the public register is permissible, the Senate was able to rely on the recent judgment of the Court of Justice of the European Union of December 7, 2023, UF, AB / Land Hessen, C-26/22 and C-64/22. Furthermore, a balancing of interests had to be carried out on a case-by-case basis in accordance with Article 6(1)(f) GDPR. The decision had to be taken in accordance with the ruling.
