BVwG - W101 2213581-1: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 67: Line 67:
The credit reference agency argued before the DSB that the data were still relevant for correctly assessing the data subject's creditworthiness under [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]]. Deleting the data would lead to incorrect results. In addition, the credit reference agency's interests under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] would outweigh those of the data subject. Furthermore, the credit reference agency demanded that the DSB would not deviate from Austrian case law prior to the applicability of the GDPR, according to which payment experience data could be stored for up to 7 years after the respective debt has been settled.
The credit reference agency argued before the DSB that the data were still relevant for correctly assessing the data subject's creditworthiness under [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]]. Deleting the data would lead to incorrect results. In addition, the credit reference agency's interests under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] would outweigh those of the data subject. Furthermore, the credit reference agency demanded that the DSB would not deviate from Austrian case law prior to the applicability of the GDPR, according to which payment experience data could be stored for up to 7 years after the respective debt has been settled.


The DSB partially upheld the complaint, ordering the credit reference agency to erase the data on a €497.97 debt from their database as it had been settled in February 2013. Regarding data on a €481.34 debt that had been settled in April 2018, the DSB rejected the complaint, as it considered this data still necessary to assess the data subject's creditworthiness and agreed with the credit reference agency that the processing can be based on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]].  
The DSB partially upheld the complaint, ordering the credit reference agency to erase the data on a €497 debt from their database as it had been settled in February 2013. Regarding data on a €481 debt which had been settled in April 2018, the DSB rejected the complaint, as it considered this data still necessary to assess the data subject's creditworthiness and agreed with the credit reference agency that the processing can be based on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]].  


The credit reference agency filed an appeal against the the DSB's order to erase the data on the €497.97 debt.
The credit reference agency filed an appeal against the the DSB's order to erase the data on the €497.97 debt.

Revision as of 12:33, 22 February 2022

BVwG - W101 2213581-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 4 GDPR
Article 5 GDPR
Article 6 GDPR
Article 17 GDPR
Article 58 GDPR
§ 24 Austrian Data Protection Act (Datenschutzgesetz - DSG)
Decided: 20.01.2022
Published: 16.02.2022
Parties: unknown data subject (complainant before the DSB)
unknown credit reference agency (respondent before the DSB)
Austrian Data Protection Authority (Datenschutzbehörde - DSB)
National Case Number/Name: W101 2213581-1
European Case Law Identifier: BVWGT_20220120_W101_2213581_1_00
Appeal from: DSB (Austria)
DSB-D123.193/0003-DSB/2018
Appeal to: Unknown
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in German)
Initial Contributor: n/a

The Federal Administrative court held that a credit reference agency has to delete data on a €500 Euro debt that has been settled in 2013, confirming a decision of the Austrian DPA.

English Summary

Facts

In June 2018 the data subject sent a request under Article 17 GDPR to the credit reference agency, requesting the erasure of all processed data on previously unsettled debts. The data subject stated that all debts have been settled in 2013 in the course of fulfilling a payment plan resulting from insolvency proceedings. After the credit reference agency refused the erasure, the data subject filed a complaint with the Austrian Data Protection Authority (Datenschutzbehörde - DSB) in July 2018.

The credit reference agency argued before the DSB that the data were still relevant for correctly assessing the data subject's creditworthiness under Article 5(1)(d) GDPR. Deleting the data would lead to incorrect results. In addition, the credit reference agency's interests under Article 6(1)(f) GDPR would outweigh those of the data subject. Furthermore, the credit reference agency demanded that the DSB would not deviate from Austrian case law prior to the applicability of the GDPR, according to which payment experience data could be stored for up to 7 years after the respective debt has been settled.

The DSB partially upheld the complaint, ordering the credit reference agency to erase the data on a €497 debt from their database as it had been settled in February 2013. Regarding data on a €481 debt which had been settled in April 2018, the DSB rejected the complaint, as it considered this data still necessary to assess the data subject's creditworthiness and agreed with the credit reference agency that the processing can be based on Article 6(1)(f) GDPR.

The credit reference agency filed an appeal against the the DSB's order to erase the data on the €497.97 debt.

Holding

The BVwG upheld the DSB's decision. It emphasized that at the point of the decision of the BVwG, the debt had been settled for more than 9 years. Consequently, it considered the data to be to no longer relevant for assessing the data subject's creditworthiness. The BVwG also mentioned that even under case law prior to the applicability of the GDPR the credit reference agency would have been under the obligation to delete the data by now.

Comment

The BVwG took over two years to reach a decision, which is somewhat problematic given that the credit reference agency kept processing the data on the debt while the procedure was pending. This might have led to problems for the data subject whose credit score was suffering from this unlawful processing.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

decision date

01/20/2022

standard

B-VG Art133 Para.4
DSG §1
DSG §24 paragraph 1
DSG §24 paragraph 5
GDPR Art17
GDPR Art4
GDPR Art5
GDPR Art58
GDPR Art6
VwGVG §28 paragraph 2

saying

W101 2213581-1/5E

IN THE NAME OF THE REPUBLIC!

The Federal Administrative Court, through the judge Dr. Christine AMANN as chairwoman and the expert lay judges MMag. dr Winfried PÖCHERSTORFER and Mag. Thomas GSCHAAR as assessor on the complaint of XXXX, represented by: Attorney Dr. Friedrich GATSCHA, against parts 1 and 3 of the decision of the data protection authority of December 7th, 2018, GZ. DSB-D123.193/0003-DSB/2018, rightly recognised:

a)

The complaint is dismissed as unfounded in accordance with Section 28 (2) VwGVG in conjunction with Section 24 (1) and (5) DSG as amended.

b)

The revision is not permitted according to Art. 133 Para. 4 B-VG.

text

Reasons for decision:

I. Procedure:

In a letter dated July 5th, 2018 (received on July 11th, 2018), Mrs. XXXX
(= involved party before the Federal Administrative Court and applicant before the data protection authority), a data protection complaint against the XXXX
(= complainant before the Federal Administrative Court and respondent before the data protection authority) because her right to erasure had been violated. She justified her data protection complaint essentially as follows:

On June 5th, 2018, the party involved submitted an application to the complainant for the deletion of their personal data. Since the data listed was no longer up-to-date, she had asked the complainant to delete all of her creditworthiness-related data, with the exception of her name, date of birth and current residential address. The party involved has paid off 100% of its debts as part of a payment plan and now wants to start over from the beginning. However, the complainant informed the involved party in a letter dated June 21, 2018 that no indications of the incorrectness of the entry or the inadmissibility of the processing could be found with regard to the entries in question. According to the provisions of the GDPR, there is therefore no need to delete or correct the data.

In a statement dated August 27, 2018, the complainant essentially stated the following regarding the data protection complaint of the party involved:

The legal basis under data protection law for the processing of personal data relevant to creditworthiness in the complainant’s identity and creditworthiness database is overriding legitimate interests pursuant to Article 6(1)(f) GDPR. The overriding legitimate interests are on the part of third parties, namely the companies in the banking industry who make advance payments. In principle, the complainant only stores personal data for as long as there is a legitimate purpose for processing it. As long as the data is relevant for the assessment of identity or creditworthiness, the purpose of the processing continues. The longer a payment history entry is in the past, the smaller the amount and the less other payment history data is available for a person, the more likely it is to be assumed that no statements relevant to creditworthiness can (any longer) be derived from the specific entry. Claims that have already been settled ("positively settled") would also represent data relevant to creditworthiness. The fact that a claim was only settled after a qualified reminder or prosecution by collection agencies or lawyers means at least a temporary default and thus results in a credit risk with regard to future legal transactions. In order to convey a factually correct and complete picture of the creditworthiness-relevant data stored about a person and thus to comply with the principle of data correctness according to Art. 5 Para. 1 lit. d DSGVO, it is therefore important that claims that have already been paid in the XXXX database would remain.

In the case of the stored payment experience data of the party involved, there is still a claim for €481.34 (origin: XXXX), which has meanwhile been confirmed as "positively settled", and a claim for €497.07 (origin: XXXX), which is also classified as "positively done" appears in the database. The complainant's standard erasure rules would apply to both of these claims. This means that the claims, due to their considerable amount, are still to be regarded as relevant to creditworthiness. There is therefore a valid processing purpose, which is why a deletion does not have to take place either according to Art. 17 (2) lit. a or according to lit. d GDPR. Other reasons for deletion had not been brought forward by the party involved and would not exist either.

By way of evasion of § 256 Para. 1 Z 4 IO, information stored in the edict file on a debt settlement procedure can still be viewed for one year after the end of the payment period provided for in the payment plan. According to the edict file, the BG Fünfhaus zu GZ is in the debt settlement process. 43 S 1/13y a payment plan with the end of the payment period on April 15, 2018 has been decided. Thus, even in the edict file, which can be viewed without any prerequisites, the debt settlement procedure in question can still be called up until the end of April 15, 2019. In any case, this circumstance of public visibility must be taken into account in the balancing of interests under Article 6(1)(f) GDPR: there is no recognizable interest in data that could be accessed online by anyone also being allowed to be processed by the complainant.

Even after the end of April 15, 2019, the processing purpose and legal basis for the data from the aforementioned debt settlement procedures still exist. Even a historical debt settlement procedure represents a creditworthiness-relevant date for a certain period of time, since conclusions can be drawn about future payment behavior from a person's previous financial conduct.

By decision of December 7th, 2018, GZ. DSB-D123.193/0003-DSB/2018, the data protection authority partially granted the data protection complaint of July 11, 2018 and found that the complainant had violated the party involved’s right to erasure by using the data already recorded on February 27, 2013 have not deleted the settled claim in the amount of €497.07 from their creditworthiness database (Sentence Part 1). The data protection complaint is dismissed with regard to an alleged violation of the right to erasure in relation to the claim paid on April 15, 2018 in the amount of € 481.34 and the information from the insolvency file (edict file) appearing in the database of the party involved (part 2. ). Finally, the complainant was instructed to comply with the request for deletion of the involved party (regarding the claim in the amount of € 497.07) within a period of two weeks, otherwise execution, and to delete the data mentioned in part 1 of the judgment (part 3 of the judgment).

With regard to parts 1 and 3 of the above decision, the data protection complaint essentially made the following findings of fact:

The complainant operates an identity and creditworthiness database. They obtain the data from publicly available sources or receive data from address publishers and information on payment experiences from a large number of corporate customers and from over 60 collection partners.

In a letter dated June 5th, 2018, the complainant requested the deletion of her personal data on the grounds that the data listed was no longer up-to-date because she had paid off 100% of the debt as part of a payment plan. She has requested the deletion of all creditworthiness-related data, with the exception of her name, date of birth and her current residential address.

By letter dated June 21, 2018, the complainant rejected the request for deletion.

As of the reporting date of August 22, 2018, the claim in the amount of €497.07 (opened on June 7, 2010, closed on February 27, 2013) was still stored.

On the basis of these factual findings, the data protection authority essentially concluded the following in legal terms:

In the present case, the party involved requested the immediate deletion of their personal data, with the exception of their name, date of birth and current residential address, in accordance with Article 17 (1) GDPR.

It should be noted at the outset that the processing of data relevant to creditworthiness by a credit agency within the meaning of Section 152 of the Industrial Code is covered by this provision and that the legality of the processing of this data does not depend on the prior consent of a data subject.

In the absence of special rules for credit reporting agencies, the general principles of the GDPR apply, according to which, among other things, personal data may only be collected for specified, clear and legitimate purposes (Article 5 (1) (b) GDPR). Accordingly, in the present proceedings, it should first be noted that the purpose of the data processing in the complainant's database would be to enable those companies to access the data that would run a credit risk in the course of their economic activity, for example when delivering their goods or services (e.g. delivery on open delivery). Under certain conditions, the lawfulness of the processing pursuant to Article 6 (1) (f) GDPR can be affirmed.

The subject of the proceedings, however, is the question of how long payment experience data could be stored by the complainant after the claim has been settled before they are no longer necessary for the purposes of processing (creditor protection); only if the personal data are still relevant to creditworthiness, there is a processing purpose according to Art. 5 Para. 1 lit. b GDPR.

There is no legally standardized period for how long entries in databases of credit reporting agencies may be stored.

In the notification GZ. K600.033-018/0002-DVR/2007 on the "Small credit record (consumer credit record) for the purpose of creditor protection and risk minimization" on the legal situation before the GDPR came into force with regard to the deletion of all entries in connection with a specific loan obligation, among other things, issued the condition that such a seven years after the debt has been paid off or another debt-discharging event has occurred.

A uniform standard, from which a general deadline for the deletion of creditworthiness-relevant data from the database of a credit agency after the debt has been paid off, is not evident. Rather, a case-by-case assessment, taking into account all the relevant circumstances, seems to be necessary.

The supposedly poor creditworthiness of those affected, which is based on historical "payment experience data" (negative entries), should be prevented by the possibility of a timely solution after all claims have been settled. In particular, it should be avoided that those affected, who have regained a solid financial basis after the cancellation of a debt settlement procedure or after paying their debts outside of the insolvency proceedings, again have to struggle with difficulties in commercial transactions because their creditworthiness is reduced by these negative entries. A general deletion of the data relevant to creditworthiness only after seven years after repayment of the debt is not possible with regard to Art. 6 Para. 1 lit be proportionate.

The data protection authority therefore sees itself compelled, from its i.a. in the decision GZ. K600.033-018/0002-DVR/2007 on the "Small credit record (consumer credit record) for the purpose of creditor protection and risk minimization" expressed legal view on the retention period.

For the present procedure, this means the following:

Two "payment experience data" from the involved party were stored in the complainant's database. These are claims in the amount of € 481.34 and € 497.07, which would appear in the database as "positively settled". The claims were opened in June and July 2010. The claim for €481.31 was closed on April 15, 2018; the second claim on 02/27/2013. In addition, the judicial debt settlement procedure of the party involved also appears in the database, which reflects the information from the edict file. However, the entries are not identical, since the insolvency file does not contain a list of the individual claims (“payment experience data”). The negative entries about the exact amount of the claims do not come from the federal bankruptcy file.

Regarding part 1:

The claims in the amount of € 497.07 were opened on June 7th, 2010 and positively settled on February 27th, 2013. Although the procedural file shows that the party involved had three entries from "payment experience data" in the complainant's database, it could not be assumed that the processing of this data is still relevant to creditworthiness and is therefore still of interest to the legitimate interests of creditors. In this case, it must be assumed that the processing is no longer necessary to protect the legitimate interests of the creditors or that the interests or fundamental rights and fundamental freedoms of the party involved would prevail.

Regarding part 3:

Since the complainant had refused to delete the claim in the amount of €497.07 (origin: XXXX), which had already been settled in February 2013, the complainant had to be instructed in accordance with Article 58(2)(c) GDPR, the request of the party involved correspond to.

In the complaint against parts 1 and 3 of this decision, which was filed within the time limit, the complainant essentially submitted:

The competent authority's assessment of the crucial question of how long payment history data could be stored by the complainant after the claim was settled before it was no longer necessary for the purposes of processing (creditor protection) was incorrect. Among other things, it is undisputed that there are no legal provisions by which the legislature regulates this question. The authority concerned would therefore first have had to investigate what objective circumstances would exist for maintaining creditor protection when determining the period in which creditworthiness data could be stored by credit agencies.

The incorrectness of the legal assessment is already indicated by the fact that the authority concerned ordered that the data relevant to creditworthiness in the cases at issue here be deleted after seven years, even if the legal situation was basically unchanged or at least comparable. Both in the case of the "Warning list of Austrian credit institutions for the purpose of protecting creditors and minimizing risk by pointing out customer behavior contrary to contract" (see consolidated version of the notifications K095.014/016-DSK/2001 and K095.014/021-DSK/2001) as well as the "Small credit record (consumer credit record) for the purpose of creditor protection and risk minimization" ("KKE"), GZ. K600.033-018/0002-DVR/2007, the deletion period was essentially justified by the fact that the creditworthiness data “should remain stored in the warning list for a certain period of time even after the debt has been repaid, due to the fact that the list has a warning function.

The contested decision failed to provide a suitable justification as to why the points of view should have changed for the duration of the storage of data relevant to creditworthiness.

The complainant thus submitted the applications that the Federal Administrative Court should

1. conduct an oral hearing;

2. To call in an expert from the field of credit assessment to prove that the data at issue in the proceedings are to be retained for seven years in order to fulfill the purpose of creditor protection and

3. Amend the contested parts of the notice such that the data protection complaint of the co-participating party is dismissed.

With a letter from the data protection authority dated January 24, 2019, the complaint and administrative file were sent to the Federal Administrative Court.

II. The Federal Administrative Court considered:

1. Findings:

In a letter dated June 5th, 2018, the involved party first requested the complainant to delete all of their creditworthiness-related data.

In a letter dated June 21, 2018, the complainant rejected this application and the data of the party involved was not deleted.

In its data protection complaint dated July 11, 2018, the involved party then asserted, among other things, that its right to erasure had been violated because the complainant had refused to delete the data relevant to the creditworthiness of the involved party for the claim in the amount of €497.07, although this debt was paid off in full in February 2013.

The complainant operates an identity and creditworthiness database. It obtains the data from publicly available sources or receives data from address publishers and information on payment experiences from a large number of corporate customers and from over 60 debt collection partners.

The claim of €497.07 (opened on June 7, 2010 and closed on February 27, 2013) is stored in the complainant's database with regard to the party involved.

It is therefore decisive that the involved party settled the claim in the amount of €497.07 in February 2013 and that the further processing of this creditworthiness-relevant data by the complainant is unlawful due to the long time elapsing before the decision was made. As a result, the complainant violated the party involved's right to erasure.

2. Evidence assessment:

The findings on the relevant facts result from the administrative act, the complaint and the court act.

At the time of the decision, it is undisputed that the claim of €497.07 should have been deleted long ago.

3. Legal assessment:

3.1. According to Art. 130 Para. 1 Z 1 B-VG, the administrative courts decide on complaints against the decision of an administrative authority due to illegality.

According to § 6 BVwGG, the Federal Administrative Court decides through a single judge, unless federal or state laws provide for the decision to be made by senates.

Pursuant to Section 27 (1) DSG, the Federal Administrative Court decides through the Senate on complaints against decisions due to violation of the duty to inform pursuant to Section 24 (7) leg. cit. and the duty of the data protection authority to make a decision. In accordance with Section 27 (2) first sentence DSG, the Senate consists of a chairman and one expert lay judge each from the circle of employers and from the circle of employees.

In this case, the Senate is responsible.

The procedure of the administrative courts, with the exception of the Federal Finance Court, is regulated by the VwGVG, Federal Law Gazette I 2013/33 as amended by Federal Law Gazette I 2013/122 (§ 1 leg.cit.). Pursuant to Section 58 (2) VwGVG, conflicting provisions that were already promulgated at the time this federal law came into force remain in force.

According to § 17 VwGVG, unless otherwise specified in this federal law, the provisions of the AVG with the exception of §§ 1 to 5 and Part IV, the provisions, apply to the procedure for complaints pursuant to Art. 130 Para. 1 B-VG the Federal Fiscal Code - BAO, BGBl. No. 194/1961, the Agricultural Procedures Act - AgrVG, BGBl. No. 173/1950, and the Service Law Procedures Act 1984 - DVG, BGBl. No. 29/1984, and otherwise those procedural provisions in federal or state laws that the authority applied or should have applied in the proceedings preceding the proceedings before the administrative court.

3.2. Pursuant to § 31 Para. 1 VwGVG, the decisions and orders are made by way of a resolution, unless a finding is to be made.

Pursuant to Section 28 (1) VwGVG, the administrative court has to settle the legal matter by finding it unless the complaint is to be rejected or the proceedings are to be discontinued.

According to § 28 Para. 2 VwGVG, the administrative court has to decide on the matter itself if the relevant facts are established or the determination of the relevant facts by the administrative court itself is in the interest of speed or is associated with significant cost savings.

3.3. to A)

3.3.1. The relevant provisions of the GDPR

Article 4

definitions

For the purposes of this Regulation, the term means:

1. "Personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more special features that express the physical , physiological, genetic, mental, economic, cultural or social identity of that natural person;

2. "Processing" means any process carried out with or without the aid of automated processes or any such series of processes in connection with personal data, such as collection, recording, organisation, ordering, storage, adaptation or modification, reading out, querying, use, disclosure by transmission, distribution or any other form of making available, matching or linking, restriction, deletion or destruction;

3rd-6th (...)

7. "Responsible person" means the natural or legal person, public authority, agency or other body that alone or jointly with others decides on the purposes and means of processing personal data; if the purposes and means of this processing are specified by Union law or the law of the Member States, the person responsible or the specific criteria for his naming can be provided for by Union law or the law of the Member States;

8th-9th (...)

10. "Third party" means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct responsibility of the controller or processor, are authorized to process the personal data ;

11-26 (...)

Article 5

Principles for the processing of personal data

(1) Personal data must

a) processed lawfully, fairly and in a manner that is transparent to the data subject ("lawfulness, fair processing, transparency");

b) collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall not be considered incompatible with the original purposes pursuant to Article 89(1) ("purpose limitation");

c) adequate and relevant to the purpose and limited to what is necessary for the purposes of the processing ("data minimization");

d) accurate and, where necessary, up to date; every reasonable step must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ("accuracy");

e) stored in a form which permits identification of data subjects only for as long as is necessary for the purposes for which they are processed; personal data may be stored for a longer period of time to the extent that the personal data, subject to the implementation of appropriate technical and organizational measures required by this regulation to protect the rights and freedoms of the data subject, are used exclusively for archiving purposes in the public interest or for scientific and historical research purposes or processed for statistical purposes in accordance with Article 89(1) ("storage limitation");

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organizational measures ("integrity and confidentiality");

(2) The person responsible is responsible for compliance with paragraph 1 and must be able to prove compliance with it (“accountability”).

Article 6

lawfulness of processing

(1) The processing is only lawful if at least one of the following conditions is met:
a) the data subject has given their consent to the processing of their personal data for one or more specific purposes;

b) the processing is necessary for the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures which are taken at the request of the data subject;

c) processing is necessary for compliance with a legal obligation to which the controller is subject;

d) processing is necessary to protect vital interests of the data subject or another natural person;

e) the processing is necessary for the performance of a task that is in the public interest or in the exercise of official authority that has been delegated to the controller;

f) processing is necessary to protect the legitimate interests of the person responsible or a third party, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data prevail, in particular if the data subject is a child acts.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their duties.

2. Member States may maintain or introduce more specific provisions adapting the application of the rules of this Regulation in relation to processing to comply with points (c) and (e) of paragraph 1 by specifying specific requirements for processing and other measures to ensure a lawful and to ensure fair processing, including for other special processing situations as set out in Chapter IX.

(3) The legal basis for the processing pursuant to paragraph 1 letters c and e is determined by

a) Union law or

b) the law of the Member States to which the controller is subject.

The purpose of the processing must be specified in this legal basis or, with regard to the processing referred to in paragraph 1 letter e, be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This legal basis may contain specific provisions adjusting the application of the provisions of this Regulation, including provisions on which general conditions apply to regulate the lawfulness of processing by the controller, what types of data are processed, which subjects are concerned, to which entities and for what purposes the personal data may be disclosed, the purpose limitations, how long they may be stored and what processing operations and procedures may be used, including measures to ensure lawful and fair processing, such as those for others special processing situations according to Chapter IX. Union law or the law of the Member States must pursue an objective in the public interest and be proportionate to the legitimate aim pursued.

(4) If the processing for a purpose other than that for which the personal data was collected is not based on the consent of the data subject or on a legal provision of the Union or of the Member States which, in a democratic society, is a necessary and proportionate measure to protection of the objectives referred to in Article 23(1), the controller shall, in order to determine whether the processing for another purpose is compatible with the one for which the personal data were originally collected, take into account, among other things

a) any link between the purposes for which the personal data were collected and the purposes of the intended further processing,

b) the context in which the personal data was collected, in particular with regard to the relationship between the data subject and the person responsible,

c) the nature of the personal data, in particular whether special categories of personal data are processed pursuant to Article 9 or whether personal data relating to criminal convictions and offenses are processed pursuant to Article 10,

d) the possible consequences of the intended further processing for the data subjects,

e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.

Article 17

Right to Erasure (“Right to be Forgotten”)

(1) The data subject has the right to demand that the person responsible delete personal data concerning them immediately, and the person responsible is obliged to delete personal data immediately if one of the following reasons applies:

a) The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.

b) The data subject withdraws their consent on which the processing was based pursuant to Article 6(1)(a) or Article 9(2)(a) and there is no other legal basis for the processing.

c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2).

d) The personal data have been processed unlawfully.

e) The erasure of the personal data is necessary to fulfill a legal obligation under Union law or the law of the Member States to which the person responsible is subject.

f) The personal data have been collected in relation to information society services offered pursuant to Article 8(1).

(2) If the person responsible has made the personal data public and is obliged to delete them in accordance with paragraph 1, he shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to ensure that those responsible for data processing who use the personal data process, to inform that a data subject has requested them to delete all links to this personal data or copies or replications of this personal data.

(3) Paragraphs 1 and 2 do not apply if processing is necessary

a) to exercise the right to freedom of expression and information;

b) to fulfill a legal obligation that requires processing under Union or Member State law to which the controller is subject, or to perform a task that is in the public interest or in the exercise of official authority vested in the controller ;

c) for reasons of public interest in the field of public health in accordance with Article 9 paragraph 2 letters h and i and Article 9 paragraph 3;

d) for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Article 89 paragraph 1, insofar as the law referred to in paragraph 1 is likely to render impossible or seriously impair the attainment of the objectives of this processing, or

e) to assert, exercise or defend legal claims.

Article 58

powers

(1) (..)

(2) Each supervisory authority shall have all of the following remedial powers, allowing it to:

c) instruct the controller or the processor to comply with the data subject's requests to exercise the rights to which he or she is entitled under this Regulation,

d)-j) (…)

(3)-(6) (…)

3.3.2. The relevant provisions of the DSG

article 1

(constitutional provision)

fundamental right to data protection

§ 1. (1) (...)

(2) Insofar as the use of personal data is not in the vital interests of the person concerned or with his consent, restrictions on the right to secrecy are only permissible to protect overriding legitimate interests of another, and in the case of interventions by a state authority only on the basis of laws, which are necessary for the reasons stated in Art. 8 Para. 2 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (EMRK), Federal Law Gazette No. 210/1958. Such laws may only provide for the use of data, which by their nature are particularly worthy of protection, to protect important public interests and must at the same time establish appropriate guarantees for the protection of the confidentiality interests of the data subjects. Even in the case of permissible restrictions, the encroachment on the fundamental right may only be carried out in the mildest way that leads to the goal.

(3) Everyone has, insofar as he/she has personal data for automated processing or for processing manually, ie. files managed without automation support, in accordance with statutory provisions

1. The right to information about who processes which data about him, where the data comes from and what it is used for, in particular to whom it is transmitted;

2. the right to rectification of inaccurate data and the right to erasure of inadmissibly processed data.

(4) Restrictions of the rights according to paragraph 3 are only permissible under the conditions specified in paragraph 2.

Complaint to the data protection authority

Section 24. (1) Every data subject has the right to lodge a complaint with the data protection authority if they believe that the processing of their personal data violates the GDPR or Section 1 or Article 2, Part 1.

(2) The complaint must contain:

1. the designation of the right deemed to have been infringed,

2. as far as this is reasonable, the designation of the legal entity or body to which the alleged infringement is attributed (respondent party),

3. the facts from which the infringement is derived,

4. the grounds on which the allegation of illegality is based,

5. the desire to determine the alleged infringement and

6. the information required to assess whether the complaint was filed in a timely manner.

(3) A complaint may be accompanied by the application on which it is based and any response by the respondent. The data protection authority shall provide further assistance in the event of a complaint at the request of the data subject.

(4) The right to have a complaint dealt with expires if the intervener does not bring it up within one year of becoming aware of the event giving rise to the complaint, but at the latest within three years after the event allegedly took place. Late complaints are to be rejected.

(5) If a complaint proves to be justified, it must be followed. If an infringement is attributable to a person responsible for the private sector, the person responsible must be instructed to comply with the complainant's requests for information, correction, deletion, restriction or data transfer to the extent necessary to eliminate the identified infringement. If the complaint proves to be unjustified, it must be dismissed.

(6) Until the proceedings before the data protection authority have been concluded, a respondent may subsequently remedy the alleged infringement by complying with the complainant's requests. If the data protection authority considers the complaint to be unfounded, it must hear the complainant. At the same time, he should be made aware that the data protection authority will informally discontinue the procedure if he does not explain within a reasonable period of time why he still considers the originally alleged infringement to be at least partially not remedied. If the essence of the matter is changed by such a statement by the complainant (section 13 (8) AVG), it is to be assumed that the original complaint will be withdrawn and a new complaint will be filed at the same time. In this case, too, the original complaint procedure is to be discontinued informally and the complainant to be informed. Late statements are not to be considered.

(7) The complainant will be informed by the data protection authority about the status and the result of the investigation within three months of filing the complaint.

(8) Any data subject may appeal to the Federal Administrative Court if the data protection authority does not deal with the complaint or has not informed the data subject of the status or the outcome of the complaint within three months.

(9) The data protection authority can - if necessary - involve official experts in the procedure.

(10) The decision period according to § 73 AVG does not include:

1. the time during which the proceedings are suspended until the final decision on a preliminary question;

2. the time during a procedure according to Art. 56, 60 and 63 DSGVO.

3.3.3. In the data protection complaint in question, the party involved asserted, among other things, that their right to erasure had been violated because the complainant had refused to delete the data relevant to the creditworthiness of the party involved in relation to the claim in the amount of €497.07, although this debt was raised in February was fully repaid in 2013.

First of all, it should be noted in the present case that the purpose of data processing in the complainant's database is basically to enable those companies to access the data that, in the course of their economic activity, take on a credit risk, for example when delivering their goods or services. Accordingly, under certain conditions, the processing could be lawful, which is undisputed in the present case.

On the other hand, it was disputed how long payment history data could be stored by the complainant after the claim had been settled before it was no longer necessary for the purpose of further processing (creditor protection).

The complainant, as the person responsible, did not delete the creditworthiness-related claim of the party involved in the amount of €497.07, despite a corresponding application, although this claim had already been settled in February 2013.

The provision of § 1 Para. 3 Z 2 DSG is a constitutional provision according to which everyone, in accordance with legal provisions, has the right to have incorrect data corrected and the right to delete data that has been processed in an inadmissible manner.

Pursuant to Article 5(1)(b) GDPR, personal data must be collected for specified, explicit and legitimate purposes and may not be further processed in a manner that is incompatible with those purposes.

Regarding this provision of the GDPR, recital (39) expressly states: In order to ensure that the personal data are not stored longer than necessary, the controller should set deadlines for their erasure or regular review.

According to Art. 6 (1) lit. f GDPR, processing is necessary to protect the legitimate interests of the person responsible or a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail, in particular if if the data subject is a child.

Pursuant to Art. 17 Para. 1 GDPR, the data subject has the right to demand that the person responsible delete the personal data concerning them immediately, and the person responsible is obliged to delete personal data immediately if the personal data are necessary for the purposes for which they were collected or otherwise processed are no longer necessary (lit. a) or the personal data were processed unlawfully (lit. d).

In recital (65), this provision of the GDPR states in principle: A data subject should have a right to rectification of the personal data concerning them and a "right to be forgotten" if the storage of their data violates this regulation (or ...). In particular, data subjects should have the right to have their personal data erased and no longer processed when the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed (…).

Even before the GDPR came into force, the European Court of Justice pronounced the following on the "right to be forgotten" in a judgment (grand chamber) of May 13, 2014, C-131/12, which is still valid today according to the legal situation of the GDPR:

The controller shall ensure that the personal data are "processed fairly and lawfully", "collected for specified, explicit and legitimate purposes and are not further processed in a manner incompatible with those purposes", "adequate, relevant and not excessive in relation to the purposes for which they were collected and/or further processed", "accurate and, where necessary, updated" and "no longer than is necessary for the realization necessary for the purposes for which they were collected or for which they are further processed, are kept in a form which permits the identification of data subjects”. The data controller must therefore take all reasonable measures to ensure that data that do not meet the requirements of that provision are erased or rectified (see paragraph 72).

It should be noted that the processing cannot comply with the provisions of the directive not only because the data is factually incorrect, but also, inter alia, also because they do not correspond to the purposes of the processing, are not relevant or excessive, are not up to date or are kept longer than necessary, unless their retention is necessary for historical, statistical or scientific purposes (cf. paragraph 92).

The requirements mean that even initially lawful processing of factually correct data may no longer comply with the provisions of the Directive (now the Regulation) over time if the data are not suitable for the purposes for which they were collected or processed more are required. This is particularly the case where they are inadequate, irrelevant or no longer relevant to, or go beyond, those purposes in view of the time elapsed (see paragraph 93).

It should be noted that any processing of personal data must be lawful throughout its execution (see paragraph 95).

If the complainant argues in her complaint that, according to the ruling of the Supreme Court, seven years must have elapsed since the settlement of the claim for the party involved to have a right to the deletion of this personal data relevant to creditworthiness, it must now be countered that at the time of the decision by the Federal Administrative Court, almost nine years Years have passed since the claim was settled, which is why the storage period can no longer be regarded as permissible or lawful.

The responsible senate therefore came to the conclusion that the complainant inadmissibly did not delete the personal data of the party involved in the claim of €497.07, which has already been settled, and thereby violated the party involved's right to deletion.

Since the contested parts of the above decision are not illegal within the meaning of Art. 130 Para. 1 Z 1 B-VG, the complaint raised against them was to be dismissed pursuant to Section 28 Para. 2 VwGVG in conjunction with Section 24 Para. 1 and 5 DSG as amended .

3.4. Pursuant to Section 24 (1) VwGVG, the administrative court must hold a public oral hearing upon application or, if it deems it necessary, ex officio.

Although the complainant has submitted an application for a public hearing, the omission of an oral hearing in the present case can be based on the fact that the facts were clarified from the file situation. The Federal Administrative Court only had to rule on a legal issue (cf. ECtHR June 20, 2013, Appl. No. 24510/06, Abdulgadirov/AZE, margin nos. 34ff). According to the case law of the Constitutional Court, an oral hearing can be omitted if the facts are undisputed and the legal question is not particularly complex (VfSlg. 17.597/2005; VfSlg. 17.855/2006; most recently VfGH 18.06.2012, B 155/12).

Consequently, pursuant to § 24 para. 1 and para. 4 VwGVG, an oral hearing was not to be held.

3.5. Re B) Inadmissibility of the revision:

Pursuant to § 25a Para. 1 VwGG, the administrative court has to pronounce in its ruling or decision whether the revision is admissible according to Art. 133 Para. 4 B-VG. The statement must be briefly justified.

According to Art. 133 Para. 4 B-VG, the revision is not permissible because the decision does not depend on the solution of a legal question that is of fundamental importance. The present decision neither deviates from the previous case law of the Administrative Court, nor is there any case law; Furthermore, the case law of the Administrative Court is not to be judged as inconsistent. There are also no other indications of a fundamental importance of the legal question to be solved.