BVwG - W176 2247074-1

From GDPRhub
Revision as of 09:09, 16 February 2023 by 84.113.103.211 (talk) (Changed appeal court)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
BVwG - W176 2247074-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 5 GDPR
Article 6(1)(f) GDPR
Article 16 GDPR
Article 17 GDPR
Article 18 GDPR
Article 21 GDPR
Regulation (EU) No 575/2013
§ 152 GewO
Decided: 21.12.2022
Published: 02.01.2023
Parties:
National Case Number/Name: W176 2247074-1
European Case Law Identifier:
Appeal from: DSB (Austria)
n/a
Appeal to: Unknown
Original Language(s): German
Original Source: RIS (in German)
Initial Contributor: n/a

The Austrian Federal Administrative Court upheld the decision of a DPA and rejected all claims of a data subject against a credit ranking company. Among other things, the company's legitimate interests outweighed the data subject's interests.

English Summary[edit | edit source]

Facts[edit | edit source]

The controller's business was the assessment of individuals' creditworthiness. For this purpose, the controller stored personal data in a database. One of these individuals was the data subject. In addition to the data subject's personal and address data, the controller saved a note about the data subject's bankruptcy proceedings in its database. Based on the outcome of such proceedings, the data subject's bankruptcy payments had to be concluded by 2018. In 2019, the data subject requested the controller to delete all negative entries related to his the creditworthiness. The controller rejected the request.

Subsequently, data subject lodged a complaint in 2020 which, essentially, focused on the (i) rights to rectification (Article 16 GDPR), (ii) right to erasure (Article 17 GDPR), (iii) right to restriction of processing (Article 18 GDPR), and (iv) right to object to processing (Article 21 GDPR). All rights used by the data subject served the overarching goal of stopping or limiting the controller's processing. Moreover, the data subject argued that after three years of the conclusion of bankruptcy proceedings and after the related payments had ended, credit assessment companies have to delete an affected data subject's personal data. (It was unclear on what basis the data subject came up with the time span of three years.)

The controller responded that the right to data protection had not been breached. In regards to (i) the rectification request, the controller reasoned that as interests of the parties would have to be balanced, a three year retention period could not simply be assumed. In regards to (ii) the right to erasure, the controller based the legitimacy of its processes on the sanctioning of the process through Austrian national law, namely, § 152 GewO, which regulates the disclosure of information by credit ranking agencies, and § 266 IO, which provides protection for creditors. Regards the restriction of processing, (iii) the controller pointed out that the negative entries regarding the data subject's credit worthiness are still of relevance as the last payment made in the context of the bankruptcy proceedings had only been 1,5 years ago. Lastly, (iv) the right to object would only apply for data processed on the legal basis of Article 6(1)(e) or (f) GDPR. However, the controller also processed the data based on Article 6(1)(b) and (c) GDPR. The controller did not elaborate this last argument.

The DPA rejected the complaint of the data subject. According to the authority, the controller's processing was justified based on national law, the aforementioned § 152 GewO. The lawfulness of the data processing did not therefore depend on the consent of the person concerned. It had to be assumed that the legislator assumed that the commercial activity was permissible and a legitimate business interest, giving rise to a legal basis for the processing of personal data under Article 6(1)(f) GDPR. Moreover, it noted that Article 5(1)(b) GDPR required that personal data is only collected for specified, explicit and legitimate purposes. In the case at hand, this would apply as long as the personal data was relevant to the data subject's creditworthiness. Regulation (EU) No 575/2013 (hereinafter "Capital Adequacy Regulation") shows that the EU legislator assumed that data on payment defaults over a period of at least five years is relevant. At the time of the decision, the protection of creditors and thus the legitimate interests of third parties were to be given a higher priority than the legitimate interests of the data subject. Therefore, there had been no violation of data protection laws. With regard to the right to erasure, the relevant authority essentially reiterated that the data processing was still necessary and lawful at the time of the decision. Speaking of the right to object, the DPA stated that the data subject had not given any reasons to believe that there was a "particular situation" as foreseen in Article 21 GDPR. With regard to the right to rectification, the DPA essentially stated that the data subject had not submitted an application for rectification, but only for deletion.

The data subject appealed the decision on the basis that the individual circumstances were not taken into account nor were the data subject's individual payment behaviour. The Capital Adequacy Regulation, cited by the DPA, would only apply to banks, but these are subject to stricter regulations than other businesses.

Holding[edit | edit source]

The Court of Appeal upheld the decision of the DPA.

It stated that, in contrast to the opinion of the data subject, the Capital Adequacy Regulation plays a role in the present proceedings. Based on the Capital Adequacy Regulation's case law, the court considered that the required storage period of data relating to creditworthiness was five years. Therefore, the data storage of the controller is legal pursuant to on Article 6(1)(c) GDPR. Data processing to calculate creditworthiness, on the other hand, is based on overriding legitimate interests of the controller (and affected third parties) in accordance with Article 6(1)(f) GDPR.

The data subject was not able to provide any significant reasons why, in the case-by-case assessment of the necessity of storing his creditworthiness data, a shorter period than the five-year period used as a guideline in the case law could be assumed. Only around four years have passed since the end of the payment period in 2018. There were no indications from that his creditworthiness has increased significantly in the meantime. It can therefore be assumed that the personal data entries, which are the subject of the proceedings, are still relevant for the assessment of the creditworthiness.

In regards to the balancing of interests of the parties, ultimately, the legitimate interest of the data subject in deleting the personal data from the controller database does not outweigh that of the controller (and their customers) in storing the data. The data processing was therefore in accordance with Article 6(1)(f) GDPR. Since the personal data were still necessary for the purposes for which they were collected or otherwise processed, the authority concerned had rightly denied the existence of a violation of the right to erasure.

Concerning the right to rectification, as established and correctly explained by the DPA, in his request directed at the controller, the data subject had not requested the correction of his personal data from the controller, but only their deletion. In the present proceedings, the data subject merely alleged a violation of the right to rectification, but without going into detail which the personal data had to be rectified. The court was not able to infer such a request from the data subject's request to the controller.

The assertion of the right to restriction of processing also requires that the data subject had at some point contacted the controller about it. In his letter to the controller, the data subject had only requested the deletion of the data at issue, but not the restriction of processing. As with the right to rectification, a request to restriction of processing had never been properly issued to the controller.

Lastly, the court considered the right to object pursuant to Article 21 GDPR. As the personal data was processed based on Article 6(1)(f) GDPR, this right might have been applicable. The court noted that the lawful refusal of the objection by the controller requires compelling legitimate reasons for the processing which outweigh the interests, rights and freedoms of the data subject. For example, reasons recognized by Union or national law are deemed worthy of protection. Such reasons are binding if it is not possible to achieve the pursued goal without the concerned data processing. In the present case, it has already been explained in connection with the right to erasure that the data processing was lawful and that the legitimate interests of the controller or third parties in the processing of the data subject's personal data outweigh those of the data subject.t

Consequently, the court of appeal rejected all claims of the data subject and upheld the DPA's decision.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the German original. Please refer to the German original for more details.

decision date

12/21/2022

standard

B-VG Art133 Para.4
DSG §1
GDPR Art16
GDPR Art17
GDPR Art18
GDPR Art21
GDPR Art4
GDPR Art5
GDPR Art6 Para.1 litf
Trade Regulations 1994 §152
VwGVG §28 paragraph 2

B-VG Art. 133 today B-VG Art. 133 valid from 01.01.2019 to 24.05.2018 last amended by Federal Law Gazette I No. 138/2017 B-VG Art. 133 valid from 01.01.2019 last amended by Federal Law Gazette I No. 22/2018 B-VG Art. 133 valid from 05/25/2018 to 12/31/2018 last changed by Federal Law Gazette I No. 22/2018 B-VG Art. 133 valid from 08/01/2014 to 05/24/2018 last changed by BGBl I No. 164/2013 Federal Constitutional Law Art by BGBl. I No. 100/2003 B-VG Art. 133 valid from 01.01.1975 to 31.12.2003 last amended by BGBl. No. 444/1974 B-VG Art. 133 valid from 25.12.1946 to 31.12.1974 last amended by Federal Law Gazette No. 211/1946 B-VG Art. 133 valid from December 19, 1945 to December 24, 1946 last amended by StGBl. No. 4/1945 B-VG Art. 133 valid from 01/03/1930 to 06/30/1934

DSG Art. 1 § 1 today DSG Art. 1 § 1 valid from 01.01.2014 last changed by Federal Law Gazette I No. 51/2012 DSG Art. 1 § 1 valid from 01.01.2000 to 31.12.2013

GewO 1994 § 152 today GewO 1994 § 152 valid from 08/01/2002 last amended by Federal Law Gazette I No. 111/2002 GewO 1994 § 152 valid from 03/19/1994 to 07/31/2002

VwGVG § 28 today VwGVG § 28 valid from 01/01/2019 last amended by Federal Law Gazette I No. 138/2017 VwGVG § 28 valid from 01/01/2014 to 12/31/2018

saying

W176 2247074-1/4E

IN THE NAME OF THE REPUBLIC!

The Federal Administrative Court has judge Mag. NEWALD as chairman and the expert lay judge Dr. ZELLENBERG and the expert lay judge
MAYER-HAINZ about XXXX's complaint against the decision of the data protection authority of August 16, 2021, Zl. D124.963, 2020-0.596.331 (participating party: XXXX ), regarding violation of the right to secrecy, deletion, objection, correction and restriction of the processing in a non-public session:

a)

The complaint is dismissed as unfounded in accordance with Section 28 (2) VwGVG.

b)

The revision is not permitted according to Art. 133 Para. 4 B-VG.

text

Reasons for decision

I. Procedure

1. By e-mail dated December 16, 2019, XXXX (complainant, hereinafter: BF) lodged a complaint with the data protection authority (hereinafter: the authority concerned).

However, he sent the competent authority (apparently in error) the completed complaint form of another complainant from a parallel procedure. The complaint was therefore not detailed, but only contained a "request for examination and decision".

The BF submitted his complaint to XXXX (participating party, hereinafter referred to as MP) for a deletion request dated October 28, 2019, a negative reply from the MP dated November 11, 2019, another request for deletion addressed to the MP dated December 5, 2019 and another negative Response letter from the MP dated December 12, 2019.

2. In an email dated January 9th, 2020, the BF explained his complaint in more detail to the effect that "the creditor protection association" violated his right to secrecy in accordance with Section 1 (1) DSG. The creditworthiness data stored by "the creditor protection association" including reference to a restructuring procedure are no longer necessary due to the special circumstances of the individual case. All creditors had agreed to the deletion of the entries. In his complaint he asserted his right to rectification and it should also be seen as an objection to data processing. In addition, another credit agency shares his legal opinion and has already deleted its entries about him.

The BF enclosed the letter from the other credit agency mentioned regarding the deletion of his data with his supplementary complaint.

3. In a letter dated March 10th, 2020, the authority concerned issued the BF with a rectification order. In it, she pointed out that the wrong complaint form had been submitted and further summarized that the following elements would be missing for a lawfully executed complaint:

1. The designation of the right deemed to have been infringed

2. The designation of the legal entity or body to which the alleged infringement is attributed

3. The facts from which the infringement is derived

4. The grounds on which the allegation of illegality is based

5. The desire to establish the alleged infringement

The BF was granted a period of two weeks for the improvement.

4. With an email dated March 24, 2020, the BF introduced an improvement to the complaint. In it, he essentially stated that the complaint was directed against a violation of "the fundamental right to data protection" and the right to rectification, erasure and restriction of processing. In addition, he raises an objection to the data processing. The complaint is directed against the MP and is based on the fact that it has been storing negative entries relating to its creditworthiness for more than seven years and making them publicly accessible. The storage period cannot be justified. The files are to be deleted no later than three years after a court decision on the acceptance of a reorganization procedure has become final. It is not understandable to what extent the MP examined the special circumstances of the individual case. The authority concerned may instruct the MP to delete the negative entries or no longer make them publicly accessible no later than three years after the decision on the acceptance of a reorganization procedure has taken legal effect, since the interests of creditor protection would no longer outweigh the interests of the BF. The BF also requested the determination of the alleged infringements and the determination that "negative entries must be deleted for a maximum period of three years after the court decision on the acceptance of the reorganization procedure and its later fulfillment must be deleted".

5. In its statement of May 13, 2020, the MP argued in summary that it had not violated the BF's right to secrecy because it had not provided any third party with information about the BF. The BF also did not present any specific violation of rights, since he did not claim that a creditor had learned of the BF's insolvency proceedings. In its improvement of the complaint, the BF also claimed that the entry in the WKE warning list had violated the law. However, this is managed by a company that competes with MP. The MP does not provide this with any data sets.

With regard to the right to correction, the MP explained that, contrary to the opinion of the BF, a weighing up of interests had to be carried out in individual cases and therefore a general three-year period could not be assumed. In addition, the BF's data were recorded correctly and it was not clear to what extent they were incorrect from his point of view.

With regard to the right to deletion, the MP stated that the storage of the entry via the BF was based on its activities as a credit agency within the meaning of Section 152 GewO and as a creditor protection association within the meaning of Section 266 IO. The MP represented several creditors in the insolvency proceedings of the BF and exercised the right to vote on the acceptance of the restructuring plan. Since it has provided contractual services for the creditors, it is subject to tax and is obliged to keep the documentation for tax reasons. Due to her statutory right to remuneration, she also has to keep accounts and has the right to inspect the insolvency file. There is therefore a legal basis for data processing. In addition, the MP is still obliged to report and inform the creditors.

With regard to the right to restriction of processing, the MP stated that it did not assume a blanket storage period of seven years, but assessed this on a case-by-case basis. In the case at issue, the data on the insolvency proceedings of the BF are still relevant to creditworthiness due to the high liabilities and the payment deadline of less than one and a half years. However, the MP offers, without prejudice, to set a blocking notice and thus to comply with the desired restriction of data processing. Accordingly, no credit ratings or information would be given, so that a “complicatement of the economic advancement” of the BF was ruled out.

With regard to the right to object, the MP explained that an objection is only possible against data processing based on Article 6 Paragraph 1 lit. e or f GDPR. However, the MP also bases the data processing on Article 6(1)(b) and (c) GDPR. In addition, the BF did not explain why the weighing of interests should be in his favour. Contrary to the opinion of the BF, the reorganization process did not last long and the BF's company had meanwhile been continued, so that he was able to develop another professional activity. It is not understandable to what extent the situation of the BF is special.

The MP enclosed with its statement an excerpt of the BF's data it had stored, an excerpt from the edict file on the BF's insolvency proceedings, the registration list of the creditors registered in the BF's insolvency proceedings and a list of the creditors represented by the MP in the insolvency proceedings.

6. In a letter dated June 4th, 2020, the BF stated in summary that his applications were justified and that the relevant authority should grant his complaint in full. Contrary to the statements of the MP, the violation of the right to secrecy according to § 1 DSG could not depend on whether information had been requested in the past. Rather, due to the legal provisions, it must be ensured that data is deleted in accordance with the law and is therefore no longer available for disclosure. The entry of the restructuring procedure is the only negative entry. The complaint is directed against the continued existence of the negative entry relating to the restructuring process for a period of more than three years in the MP file. This three-year period expired on November 30, 2019 as a result of the court decision confirming the restructuring plan of December 1, 2016.

Regarding the request for correction, the BF explained that, in his view, negative entries should be deleted after three years at the latest. Irrespective of this, it is mandatory to check in each individual case whether there are special circumstances that could justify earlier deletion. There is no case law on this within the scope of the GDPR. The question of the proportionality of the maintenance of creditworthiness-restricting entries to protect future lenders on the one hand and to guarantee the market opportunities of those seeking credit on the other hand is essential and the subject of the complaint. From the point in time at which the entries would be disproportionate, there is a violation of the DSG and the GDPR. The deletion period only begins to run when the last quota has been paid. Since no later quota payment had been agreed in the present case, the decision on the confirmation of the restructuring plan is the starting point if the restructuring plan is ultimately fulfilled. If the last quota would not be paid, a new insolvency procedure would probably result. Any non-payment of a further or the last quota would result in a new starting point. A credit rating restriction lasting three years after the conclusion of the restructuring process with subsequent good behavior is completely sufficient to meet the requirements for creditor protection. The assertion that creditworthiness-restricting entries in the MP file would not prevent the conclusion of credit or leasing agreements is an irrelevant argument that calls into question the activities of the creditor protection associations as a whole.

Regarding the cancellation request, the BF argued that the MP justifies the maintenance of the registration with the tax obligation to maintain supporting documents for a period of seven years or even with the fact that this tax obligation is extended by monitoring the quota payments. In the absence of subsequent quota payments, there is no need to monitor such payments after the restructuring process has been completed. The MP is obliged to keep invoices that it has issued to the customers it represents for seven years and to submit them to any auditor of the tax office. However, this has nothing to do with the fact that the MP has to adjust and delete entries in accordance with other legal provisions as part of its operational activities, even at an earlier point in time. According to the BAO, it contradicts the laws of human thought that the negative entries should not be changed or deleted during the period of the document retention obligation. The BF did not understand why the MP's right to inspect the files should justify the maintenance of negative entries. After the conclusion of the restructuring process, the file is frozen and remains unchanged. The right to inspect the files may continue to exist even after the – long since completed – deletion of the restructuring procedure in the edict file; the BF therefore does not understand to what extent the maintenance of a negative entry can be justified. The other creditors (non-banks) would have claims totaling €98,260, all of which would stem from ongoing business transactions that could no longer have been paid because the proceedings had been opened. At the latest during this individual examination, the MP should have established that the small creditors it represented, without exception, had not registered any overdue invoices, but only the last invoice that happened to remain open.

In order to restrict the processing, the MP persistently ignores the fact that all bank creditors have agreed in writing to the deletion of the negative entry. Because of these declarations of consent, it is not permissible for the MP to justify the maintenance of the negative entry with the banks' high exposure.

Regarding the right to object, the BF explained that the MP bases the data processing exclusively on the fulfillment of the contract with the represented creditors in accordance with Article 6(1)(b) GDPR and the fulfillment of tax and accounting obligations in accordance with Article 6(1)(c) GDPR . According to the legal opinion of the BF, the MP's statements in this regard are in blatant contradiction to human laws of thought and are therefore completely unsuitable for justifying the maintenance of negative entries. The MP's protective claim that the BF had not adequately explained the special situation was unfounded. The declarations of consent of all bank creditors were submitted. The BF would not approach the MP's offer, since objectively correct or subjectively acceptable reasons for the negative entries could not be identified and were also not presented.

6. The BF submitted an additional statement in an email dated June 18, 2020. In essence, he stated that the MP had not put forward any arguments showing that processing the BF's data for three years was not sufficient to safeguard the interests of potential lenders. In the absence of a long-term interest in protecting creditors, the negative entries should be deleted after three years. Due to an individual examination, earlier deletion may also be necessary. The case-by-case assessment must be transparent and comprehensible. Since the storage period could in any case be extended due to renewed violations of payment obligations through further negative entries, storage for a period of three years is sufficient for creditor protection. The automatism used by the MP to store negative entries for more than three years is unacceptable and legally impermissible.

7. With an e-mail dated July 20, 2020, the MP submitted a supplementary statement. In it she explained that the BF had enclosed correspondence with his complaint that had not taken place between him and the MP, but between the MP and a complainant in another procedure before the relevant authority, who was represented by the BF. The BF sent a request for information to the MP on May 3rd, 2019, in a letter dated May 6th, 2019 the MP gave the BF information about the personal data of the BF processed by it and in a letter dated June 4th, 2019 the BF requested the deletion of the Data requested, which the MP rejected in a letter dated June 5th, 2019. The BF subsequently also requested deletion in letters dated October 28, 2019 and December 5, 2019, which the MP again rejected in letters dated October 30, 2019 and December 30, 2019. The MP processes the personal data of the BF within the scope of their business license in accordance with § 152 GewO. The violations of rights brought forward by the BF do not exist.

With regard to the right to confidentiality, the MP argued that the payment experience at issue was still necessary for the purpose of the processing. With regard to the storage period of creditworthiness data, observation or deletion periods in creditor protection provisions should be used. Such arises from Regulation (EU) No. 575/2013 of the European Parliament and of the Council of June 26, 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No. 646/2012 (Capital Adequacy Regulation). Accordingly, the European legislator assumes that payment defaults over a period of at least five years are relevant for the credit rating. The reorganization plan that is the subject of the proceedings was confirmed by resolution in 2016, but the end of the payment period, in this specific case December 1, 2018, should be taken into account. The fact that the data at issue in the proceedings has already been deleted from the insolvency file and is no longer publicly accessible is irrelevant. Due to the short duration since the end of the restructuring process, the data is still relevant for creditor protection.

Regarding the right to rectification, the MP argued that the BF had not requested any rectification and had not submitted any inaccuracy of the data. The BF only complained about the storage period. There is therefore no infringement of the law in this regard.

With regard to the right to erasure, the MP argued that the entry at issue in the proceedings was still necessary for the purpose of the processing. The BF has not submitted any reasons that would justify an objection, and there are compelling legitimate grounds for data processing that outweigh the interests, rights and freedoms of the BF. The data processing was also carried out lawfully. There are no reasons for deletion.

With regard to the right to restriction of processing, the MP argued that the BF had not requested the restriction of the data stored about him and that there was no violation of the law in this regard.

With regard to the right to object, the MP argued that the economic impairment put forward by the BF did not represent a special situation that could justify an objection to the data processing. Even if a justified objection were accepted, there would be compelling reasons for data processing worthy of protection that would outweigh the interests, rights and freedoms of the BF. The data are essential for creditor protection in relation to the creditworthiness of the BF. The BF's interest in secrecy and his interest in not being adversely affected in economic life can be classified as low, since he had not met his payment obligations in the past, which led to the restructuring proceedings. The fact that several guarantee obligations were the cause of the opening of the restructuring procedure is irrelevant.

The MP enclosed its information letter of May 6, 2019 and its letters of October 30, 2019 and December 30, 2019 with the statement.

8. With an e-mail dated September 11, 2020, the BF submitted a further supplementary statement. In it, he essentially explained that, at the request of the debtor, access to the insolvency file should no longer be granted if the legally binding restructuring or payment plan had been fulfilled. If the payments were not made or not made in full, the bankruptcy file could no longer be inspected after one year. If these conditions are met, references to a reorganization procedure should also be deleted from the company and land register at the request of the debtor. It follows from this that the MP cannot define any longer deadlines or other requirements for the deletion.

9. By decision of August 16, 2021, Zl. D124.963, 2020-0.596.331, the authority concerned rejected the data protection complaint as unfounded.

In justification, she essentially stated that the subject of the complaint was the question of whether the MP had violated the BF's right to secrecy, deletion, objection, correction and restriction of processing by not deleting the BF's negative entry in its creditworthiness database. The MP runs a business according to § 152 GewO as a credit agency. They save a negative entry in their creditworthiness database for a reorganization procedure opened on January 21, 2016 via the BF. This was rescinded on December 20, 2016 with the legal force of the adopted restructuring plan. The end of the payment period was set as December 1st, 2018. The BF requested the deletion of the negative entry in letters dated October 28, 2019 and December 5, 2019, the MP rejected the deletion in letters dated November 11, 2019 and December 12, 2019.

The authority concerned stated that the findings would result from the undisputed arguments of the parties and from the documents submitted by them.

From a legal point of view, the authority concerned explained that the processing of creditworthiness-related data by credit agencies is covered by § 152 GewO and therefore the legality of data processing does not depend on the consent of the person concerned. It can be assumed that the legislator assumes that commercial activity is permissible and that in certain cases there is a legitimate interest of the tradesman that outweighs that of the persons concerned. In the absence of special rules for credit reporting agencies, the general principles of the GDPR should be applied. Accordingly, personal data may only be collected for specified, clear and legitimate purposes in accordance with Article 5 (1) (b) GDPR. Under certain conditions, the lawfulness of the data processing according to Art. 6 Para. 1 lit. f GDPR can be affirmed. The subject of the proceedings is the question of how long payment experience data can be stored after the claim has been settled before they are no longer necessary for the purposes of processing. Only as long as the personal data is relevant to creditworthiness, there is a processing purpose according to Art. 5 Para. 1 lit. b GDPR.

With regard to the right to secrecy, the authority concerned essentially stated that the MP could base the data processing on Art. 6 (1) lit. f GDPR and that an overriding legitimate interest in the data processing should be assumed. With regard to the storage period, observation and deletion periods in creditor protection provisions should be used as a guideline. The capital adequacy regulation shows that the EU legislator assumes that data on payment defaults over a period of at least five years is relevant for the credit check. In the specific case, less than four years had passed since the end of the repayment period at the time of the decision. It should be based on the point in time when the payment plan is finally fulfilled, since the specific amount of the payment default can only be determined at that point in time. At the time of the decision, the protection of creditors and thus the legitimate interests of third parties were to be given a higher priority than the legitimate interests of the BF. The BF was therefore not violated in his right to secrecy.

With regard to the right to erasure, the relevant authority essentially stated that the data processing was still necessary and lawful at the time of the decision. The deletion from the insolvency file does not mean that the data should also be deleted from the MP's creditworthiness database. Various legal consequences are linked to the public announcement in the insolvency file and it does not primarily serve to protect creditors in the case of claims that have already been repaid. Section 256 IO cannot be used to derive any restriction on the legal basis under Art. 6 (1) (f) GDPR. A violation of the right to deletion of the BF was not recognizable at the time of the decision.

With regard to the right to object, the authority concerned essentially stated that the difficult participation of the BF in economic life and his legal opinion, according to which negative entries should generally be deleted three years after the acceptance of the restructuring plan by court order and its fulfillment, do not constitute a special situation within the meaning of Art. 21 GDPR. The BF did not explain how his situation differed in an extraordinary, specific and individual way from the situation of other people. He could therefore not invoke Art. 21 GDPR.

With regard to the right to rectification, the relevant authority essentially stated that the BF had not submitted an application for rectification, but only for deletion. The right to erasure and the right to rectification are not congruent, but overlap and each require unlawful processing. The lack of a request for correction was a defect that could not be improved, so that the complaint in this regard had to be dismissed.

With regard to the right to restriction of processing, the relevant authority essentially stated that the assertion of the right requires an application. However, the BF did not apply for the restriction of processing, which constitutes a defect that cannot be improved. The complaint was dismissed on this point and unfounded in its entirety.

10. The BF filed a timely appeal against this decision, arguing in summary the following:

The contested decision is unlawful, since the authority concerned only used the Capital Adequacy Ordinance as a criterion for the deletion period, ignored the individual circumstances of the BF and did not justify why it considered a five-year period to be appropriate, without having taken the payment behavior of the BF into account. Although the authority concerned had to agree that observation and deletion periods in creditor protection provisions should be used when assessing the permissible storage period, they had used unsuitable provisions and had come to an unlawful result. The capital adequacy regulation only applies to banks, but these are subject to stricter regulations than other businesses. It cannot be justified that the data would also be made available to other economic operators for at least five years. In addition, the five-year observation period standardized in the Capital Adequacy Ordinance only refers to natural persons and banks are not dependent on the data provided by creditor protection associations. Even assuming a permissible five-year period, the contingent request for the restriction of processing would apply. However, the capital adequacy regulation is not suitable for deriving a permissible deletion period with regard to creditworthiness data stored by creditor protection associations. In addition, assuming a five-year period gives an inaccurate picture of the current creditworthiness of those affected. This could come earlier or later.

Rather, the deletion periods standardized in the IO should be used, since the legislature had weighed up the interests of debtors and creditors. The edict file and the execution register should be used primarily when assessing creditworthiness. It cannot be assumed that the legislature disregarded the deletion periods when regulating the insolvency proceedings. From the point of view of the legislator, the protection of creditors was obviously satisfied with the deletion period regulated in the IO. A longer period is therefore neither necessary nor permissible. The IO is the only possible legal source for assessing the permissible storage period. In the present proceedings, the authority concerned stated that when processing data from public registers such as the insolvency file, the respective special provisions are an indication of the (permissible) storage period. In any case, the MP did not explain in a comprehensible manner to what extent it had assessed and taken into account the circumstances of the individual case, but merely insisted on the five-year period. A five-year storage without individual case assessment contradicts the requirement of data minimization and storage limitation and leads to an excessive restriction of constitutionally and human rights guaranteed rights. It also contradicts Article 6 (1) (f) GDPR, since the interests, fundamental rights and freedoms of the data subject prevail in the context of the individual case assessment.

The BF requested that an oral hearing be scheduled and that the complaint be allowed regarding the alleged violation of the right to erasure and possibly regarding the alleged violation of the right to secrecy, rectification, restriction of processing and objection.

11. By letter dated October 4, 2021, the authority concerned submitted the complaint to the Federal Administrative Court, attaching the case files.

In its accompanying statement, the authority concerned denied the complaint in its entirety and referred to the contested decision in its entirety.

The authority concerned requested the decision on the matter itself and the dismissal of the complaint.

II. The Federal Administrative Court considered:

1. Findings

1.1. The decision is based on the facts presented under point I. above.

1.2. In addition, it is found:

The MP runs the business of credit reporting and issues credit reports in the course of its work. For this purpose, the MP stores data relating to the creditworthiness of specifically named persons in a database. In addition to the BF's personal and address data, the MP saved a note on the BF's bankruptcy proceedings in its database at the time of the decision. This note shows that bankruptcy proceedings were conducted for GZ XXXX before the regional court for civil law matters in Graz, which were opened on January 21, 2016 and ended on December 20, 2016 with the confirmation of a restructuring plan in accordance with Section 152b IO. The note does not contain any additional information. The information given in the memo about the bankruptcy proceedings of the BF is correct.

As of November 29, 2016, several claims totaling €6,495,284.80 were registered and recognized in the bankruptcy proceedings; none of the claims registered were disputed. With the decision of December 20, 2016, which was corrected on December 21, 2016, the payment plan accepted on December 1, 2016 was finally confirmed and the restructuring procedure was lifted. The main content of the recovery plan was as follows:

"The insolvency creditors receive a quota of 22.5%, of which a cash quota of 12% is to be distributed by the insolvency administrator within 14 days after the confirmation has become final and a further 10.5% within 2 years of acceptance."

The payment period ended on December 1st, 2018.

In an email dated October 28, 2019, the BF asked the MP to delete the note on the restructuring process and all other comments that affect his creditworthiness. In a letter dated November 11, 2019, the MP rejected the BF’s request for deletion. In a letter dated December 5th, 2019, the BF again requested the MP to delete all negative entries, which the MP again rejected in a letter dated December 12th, 2019. In his letter, the BF neither claimed that the data processed by the MP was incorrect, nor did he request that the processing be corrected or restricted.

2. Evaluation of Evidence

The established facts are based on the content of the files and are essentially undisputed.

The fact that the MP practices the business of credit reporting was convincingly demonstrated by the MP and not doubted by the BF. The findings regarding the data of the BF stored by the MP in its database are based on the information letters submitted by the MP, the correctness of which was not disputed by the BF. The findings on the restructuring process and plan are based on the submitted excerpt from the edict file. The findings on the BF's request for deletion and the MP's letter of refusal are based on the enclosures submitted.

3. Legal Assessment

3.1. Regarding the applicable legal norms:

According to Section 1 (1) of the Federal Act for the Protection of Natural Persons in the Processing of Personal Data (Data Protection Act - DSG), everyone has the right to confidentiality of personal data concerning them, in particular with regard to respect for their private and family life, insofar as data worthy of protection there is interest in it. The existence of such an interest is excluded if data are not accessible to a non-disclosure claim due to their general availability or due to their lack of traceability to the data subject.

According to Section 1 (2) DSG, restrictions on the right to secrecy are only permissible to protect the overriding legitimate interests of another person, insofar as the use of personal data is not in the vital interests of the person concerned or with his consent, and only in the event of intervention by a state authority on the basis of laws that are necessary for the reasons stated in Art. 8 Para. 2 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (EMRK), Federal Law Gazette No. 210/1958. Such laws may only provide for the use of data, which by their nature are particularly worthy of protection, to protect important public interests and must at the same time provide for appropriate guarantees for the protection of the confidentiality interests of the data subjects. Even in the case of permissible restrictions, the encroachment on the fundamental right may only be carried out in the mildest way that leads to the goal.

Art. 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of data and on the repeal of Directive 95/46/EC (GDPR) standardizes the following Legal definitions relevant to the process in question:

1. “Personal data”: any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more special features that express the physical , physiological, genetic, mental, economic, cultural or social identity of that natural person;
2. “Processing”: any process carried out with or without the help of automated processes or any such series of processes in connection with personal data such as collection, recording, organization, ordering, storage, adaptation or modification, reading, querying , use, disclosure by transmission, distribution or any other form of making available, matching or linking, restriction, deletion or destruction;

3. "Restriction of processing": the marking of stored personal data with the aim of restricting their future processing;

[…]

7. "Responsible person": the natural or legal person, public authority, agency or other body that alone or jointly with others decides on the purposes and means of the processing of personal data; if the purposes and means of this processing are specified by Union law or the law of the Member States, the person responsible or the specific criteria for his naming can be provided for by Union law or the law of the Member States;

[...]

10. “Third party”: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct responsibility of the controller or processor, are authorized to process the personal data process;

11. "Consent" of the data subject: any voluntarily given, informed and unequivocal expression of will in the specific case in the form of a declaration or other clear affirmative action by which the data subject indicates that they consent to the processing of their data agrees to the personal data concerned;

According to Art. 5 GDPR, personal data - insofar as relevant in the present procedure - must be processed in a lawful manner ("lawfulness"), collected for specified, clear and legitimate purposes ("purpose limitation"), appropriate and relevant to the purpose and to the for be limited to what is necessary for the purposes of the processing (“data minimization”), be accurate and, where necessary, up to date (“accuracy”) and be stored in a form that allows identification of data subjects only for as long as is necessary for the purposes for which they are processed ("storage limitation").

According to Art. 6 Paragraph 1 lit. f GDPR, the processing of personal data is lawful if the processing is necessary to protect the legitimate interests of the person responsible or a third party, provided that the interests or fundamental rights and freedoms of the data subject do not violate the protection require personal data prevail.

In accordance with Art. 16 GDPR, the data subject has the right to demand that the person responsible correct incorrect personal data concerning them without delay. Taking into account the purposes of the processing, the data subject has the right to request the completion of incomplete personal data - also by means of a supplementary statement ("right to rectification").

In accordance with Article 17 (1) GDPR, the data subject has the right to demand that the person responsible delete personal data relating to them immediately, and the person responsible is obliged to delete personal data immediately if one of the reasons listed in lit. a to f standardized reasons applies ("right to erasure"). This is the case - insofar as it is relevant in the present procedure - if the personal data are no longer necessary for the purposes for which they were collected or otherwise processed (lit. a), the data subject files an objection and no overriding authorized persons There are reasons for the processing (lit. c) or the personal data was processed unlawfully (lit. d).

Pursuant to Art. 18 Para. 1 GDPR, the data subject has the right to demand that the person responsible restrict the processing if one of the following conditions is met ("right to restriction of processing"):

a) the accuracy of the personal data is disputed by the data subject, for a period enabling the controller to verify the accuracy of the personal data,

b) the processing is unlawful and the data subject refuses to have the personal data deleted and instead requests that the use of the personal data be restricted;

c) the person responsible no longer needs the personal data for the purposes of processing, but the data subject needs them to assert, exercise or defend legal claims, or

d) the data subject has lodged an objection to the processing pursuant to Article 21(1), pending the verification whether the legitimate grounds of the controller override those of the data subject.

In accordance with Art. 21 (1) GDPR, the data subject has the right, for reasons arising from their particular situation, to object at any time to the processing of personal data relating to them, which is based on Article 6 (1) (e) or (f). ; this also applies to profiling based on these provisions (“right to object”). The person responsible no longer processes the personal data unless he can demonstrate compelling legitimate grounds for the processing which outweigh the interests, rights and freedoms of the data subject, or the processing serves to assert, exercise or defend legal claims.

The trade of the credit agency is regulated in § 152 GewO. The tasks of traders within the meaning of § 152 GewO include providing information on the creditworthiness of companies and private individuals to third parties. This should provide lenders with meaningful information about existing or potential borrowers, and in particular about the way in which they have paid their debts to date. This is intended to enable lenders to determine the probability that the lender will ultimately be satisfied on account of his claim and, if necessary, to predict how many difficulties this will entail. This is a legally regulated and recognized purpose (cf. BVwG 30.10.2019, W258 2218465-1).

3.2. Regarding the right to erasure:

The MP exercises the trade of the credit information agency iSd § 152 GewO. In the course of this, it processes the personal data of the BF specified in the findings without his consent. Due to the legal basis, it can be assumed that the personal data of the BF were originally processed in a lawful manner. The data was also collected for specified, clear and legitimate purposes, namely for the purpose of assessing the creditworthiness of the BF and thus for the purpose of protecting creditors. Furthermore, data was only collected to the extent required for this purpose. The BF did not explain in this regard that the processed data would not have been necessary for the fulfillment of the purpose. The BF also did not argue that the data were incorrect or not up to date, so that there is no doubt as to their correctness. The only dispute is how long the storage of the data is necessary to fulfill the purpose.

The permissible storage period of creditworthiness data is not standardized by law. Rather, the omission of the purpose of storing creditworthiness data due to the passage of time must be assessed in individual cases using the following criteria (cf. Haidinger in Knyrim, DatKomm Art 17 DSGVO, Rz 49/1 (as of December 1st, 2021, rdb.at)):

• the amount of each claim;

• the “age” of the claims (hence the date of entry in the database);

• the number of debts collected through a collection agency;

• the time elapsed since a claim was settled;

• the origin of the data and any applicable storage periods there;

• the debtor's good conduct since then;

• Period between opening and closing of bankruptcy;

• possible consideration of an increased creditworthiness of the debtor at the time of the decision.

In contrast to the legal opinion of the BF, the Capital Adequacy Ordinance plays a role in the present proceedings insofar as the Federal Administrative Court derives a guideline for the required storage period of creditworthiness data from it in its case law. This is basically five years. The BF's objection that the Capital Adequacy Ordinance is unsuitable as a guideline for the permissible storage period and that the periods standardized in Section 256 IO should be used, must be countered that the data processing in the insolvency file refers to the legal obligation arising from Section 256 IO and thus to supports the legal basis of Art. 6 (1) (c) GDPR. However, data processing in a creditworthiness database is permitted due to overriding legitimate interests of the person responsible in accordance with Article 6 (1) (f) GDPR. It cannot be deduced from § 256 IO that data relating to insolvencies after their deletion from the insolvency file may no longer be processed on the basis of another legal basis of the GDPR. Rather, such a restriction would contradict EU secondary law. When assessing the permissible storage period, the point in time when the payment plan is fulfilled must also be taken into account, since the specific amount of the payment default can only be assessed at that point in time (cf. BVwG 30.10.2019, W258 2218465-1).

The BF could not provide any significant reasons why, in the case-by-case assessment of the necessity of storing his creditworthiness data, a shorter period of five years than the five-year period used as a guideline in the case law could be assumed. Rather, the large number and the considerable amount of the claims registered and recognized as part of the restructuring proceedings of the BF indicate that the relevant data are still relevant for the assessment of his creditworthiness. In addition, only around four years have passed since the end of the payment period on December 1, 2018 at the time of the decision and there are no indications from the BF's submissions that his creditworthiness has meanwhile increased significantly. It can therefore be assumed that the entries that are the subject of the proceedings are still relevant for the assessment of the creditworthiness of the BF. The principles of data processing standardized in Art. 5 GDPR were therefore observed in the specific case.

If the processing of personal data is based on the legal basis of Art. 6 Para. 1 lit. In the present case, the legitimate interest of the MP or its customers to be able to assess the risk when granting a loan and thus to comply with the requirements standardized in the Capital Adequacy Ordinance is that of the BF not to be disadvantaged in business life due to the processing of his personal creditworthiness data , across from. It must be taken into account that the EU legislator considers it necessary to base the assessment of the payment behavior of a potential debtor on an observation period of at least five years (cf. BVwG 30.10.2019, W258 2218465-1).

Ultimately, the legitimate interest of the BF in deleting his personal data from the MP database does not outweigh that of the MP and their customers in storing the data. Data processing is therefore lawful in accordance with Article 6 Paragraph 1 Letter f GDPR. Since the personal data are still necessary for the purposes for which they were collected or otherwise processed and are being processed lawfully, the authority concerned has rightly denied the existence of a violation of the right to erasure, so that the complaint on this point is to be dismissed is.

3.3. On the right to confidentiality:

§ 1 para. 1 DSG establishes a right to secrecy of one's own personal data, insofar as there is a legitimate interest in it. However, Section 1 (2) DSG stipulates that restrictions on the right to secrecy are permissible in order to safeguard overriding legitimate interests of other persons. A weighing of interests must therefore be carried out, taking into account that data processing must be necessary to safeguard the legitimate interests of the person responsible or third parties and that the fundamental rights and freedoms of the data subject must not prevail in order to be permissible.

The statements on the right to erasure show that the protection of creditors and thus the legitimate interests of third parties outweigh the legitimate interests of the BF. Consequently, his right to secrecy within the meaning of Section 1 (2) DSG is restricted. The MP did not infringe the BF's right to secrecy by storing the data on the restructuring process, so that the complaint in this regard had to be dismissed as unfounded.

3.4. Regarding the right to rectification:

As established and correctly explained by the authority concerned in the contested decision, the BF did not request the correction of his personal data from the MP, but only their deletion. In the present proceedings, he merely alleged a violation of the right to rectification, but without going into the extent to which the personal data processed by the MP was incorrect or incomplete and therefore had to be rectified. Such a request cannot be inferred from the letters he submitted to the MP either. However, a request by the data subject for rectification to the controller is an essential prerequisite for the success of a complaint of violation of the right to rectification. If such an application was not made, there is a defect that cannot be improved (cf. Jahnel, commentary on the General Data Protection Regulation Art. 16 DSGVO, margin no. 13 (as of December 1st, 2020, rdb.at)).

It is therefore to be agreed with the authority concerned that the BF did not submit an application for correction to the MP and the complaint in this regard was therefore to be dismissed.

3.5. Regarding the right to restriction of processing:

The assertion of the right to restriction of processing also requires a request from the data subject addressed to the person responsible. This is basically aimed at ensuring that the personal data continues to be stored by the person responsible, but is only processed otherwise under the strict conditions specified in Art. 18 Para. 2 DSGVO (cf. Jahnel, commentary on the General Data Protection Regulation Art. 18 GDPR, margin no. 1 (as of December 1st, 2020, rdb.at)).

In this context, reference can be made to the statements on the right to rectification (3.4.). In his letter to the MP, the BF only requested the deletion of the data at issue, but not the restriction of processing. He has therefore not made a request to that end, which would be necessary for the successful assertion of a violation of the right to restriction of processing.

The decision of the competent authority is therefore not unlawful in this objection either, so that the complaint in this regard had to be dismissed.

3.6. On the right to object:

Since the processing of the BF's personal data by the MP is based on the legal basis of Art. 6 Para. 1 lit. f GDPR, the exercise of an objection pursuant to Art. 21 Para. Accordingly, if there are certain reasons that arise from the particular situation of the data subject, the person responsible no longer has to process the data after the objection has been raised, unless he can demonstrate compelling legitimate reasons for the processing that outweigh the interests, rights and freedoms of the data subject prevail. Which special situations can be a basis for an objection is not standardized. However, the reasons must be recognized by Union or national law and must be assessed on a case-by-case basis. A prerequisite for a legitimate objection is also lawful data processing. If, on the other hand, data processing is unlawful, there is a right to erasure, but not to objection. However, since a legal layperson cannot reasonably be expected to distinguish between lawful and unlawful data processing, using the general legal principle "falsa demonstratio non nocet" it is assumed that an application can be reinterpreted accordingly (cf. Haidinger in Knyrim, DatKomm Art 21 DSGVO, Margin no. 20 ff (as of October 1, 2018, rdb.at)).

The lawful refusal of the objection by the person responsible for data processing requires that there are compelling legitimate reasons for the processing that outweigh the interests, rights and freedoms of the data subject. Reasons recognized by Union or national law are deemed worthy of protection. The reasons are mandatory if it is not possible to achieve the goal pursued without data processing (cf. Haidinger in Knyrim, DatKomm Art 21 GDPR, margin no. 40 ff (as of October 1, 2018, rdb.at)).

In the present case, it has already been explained in connection with the right to erasure (3.2.) that the data processing was lawful and that the legitimate interests of the MP or third parties in the processing of the BF's personal data outweigh those of the BF. The data processing takes place for a legally recognized reason and is absolutely necessary to achieve the purpose of creditor protection. Even if the BF's request for deletion was reinterpreted as an objection, the requirements for raising an objection are not met, so that the complaint was also dismissed on this point.

3.7. Result

As can be seen from what has been said, the authority concerned correctly assumed in the contested decision that the MP did not infringe the BF's right to secrecy, deletion, objection, correction and restriction of processing.

The complaint was therefore dismissed as unfounded.

3.8. For the omission of an oral hearing

There was no need for an oral hearing within the meaning of § 24 VwGVG, especially since the relevant facts are known from the files and only legal issues had to be clarified in the proceedings. A fact-related submission that goes beyond the facts that are essentially undisputedly evident from the file was not made.

3.9. On the inadmissibility of the revision

Pursuant to § 25a Para. 1 VwGG, the administrative court has to pronounce in its ruling or decision whether the revision is admissible according to Art. 133 Para. 4 B-VG. The statement must be briefly justified.

This decision does not depend on the resolution of a legal issue of fundamental importance. There is neither a lack of case law of the Administrative Court nor does the decision in question deviate from the case law of the Administrative Court; Furthermore, the case law of the Administrative Court is not to be judged as inconsistent. There are also no other indications of a fundamental importance of the legal issues to be resolved. It was therefore to be stated that the revision according to Art. 133 Para. 4 B-VG is not permissible.