BVwG - W211 2225136-1

From GDPRhub
BVwG - W211 2225136-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 5 GDPR
Article 6 GDPR
Article 17 GDPR
Article 21 GDPR
§ 24 Austrian Data Protection Act (Datenschutzgesetz - DSG)
Decided: 28.08.2020
Published: 29.12.2020
Parties: KSV1870 Information GmbH (respondent in the initial procedure before the DSB)
National Case Number/Name: W211 2225136-1
European Case Law Identifier: ECLI:AT:BVWG:2020:W211.2225136.1.00
Appeal from: DSB
not published
Appeal to: Unknown
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in German)
Initial Contributor: Marco Blocher

The Austrian Federal Administrative Court rejected a data subject's appeal against a decision of the Austrian DPA regarding data erasure: Credit reference agencies are allowed to store data on insolency proceedings for possibly up to five years.

English Summary[edit | edit source]

Facts[edit | edit source]

In 2010, the data subject had been subject to insolvency proceedings. In 2012, he was ordered to repay 70% of his open debts and managed to fulfil this payment plan by mid-March 2018. The competent court consequently accepted his request to remove information on the insolvency from the public insolvency register (Insolvenzdatei).

This publicly available information of the data subject's insolvency had also been stored in the database of the credit reference agency KSV 1870 Information GmbH. The data subject is also the sole managing director of a limited company. The database entry on his insolvency has also been linked with the data stored on this company.

The data subject requested the erasure of the data on his insolvency under Article 17 and 21 GDPR, stating that he has paid back his debts in line with the payment plan and that data on his insolvency are no longer published in the insolvency register.

After KSV 1870 Information GmbH refused to delete the data, the data subject lodged a complaint with the Austrian DPA (Datenschutzbehörde - DSB). The DSB rejected the complaint and the data subject filed an appeal with the Austrian Federal Administrative Court (Bundesverwaltungsgericht - BVwG).

Dispute[edit | edit source]

Is a credit reference agency such as KSV 1870 Information GmbH allowed to store data on the insoleveny of an individual beyond the availability of that data in the official insolveny register? If so, for how long?

Holding[edit | edit source]

The BVwG held, that KSV 1870 Information GmbH is allowed to store the data on the data subject's insolvency, even though that data is no longer available in the official insolvency register. Both the amount of a debt and the time that has passed since its incurrence and its payment are relevant to assess an indivuidual's creditworthiness.

Neither EU law nor the national Austrian law contain provisions on the allowed storage period of creditworthiness data (such as information on insolvencies). The storage period can therefore be established by assessing existing legal provisions that deal with creditor protection or requirements for an appropriate credit assessment.

Under REGULATION (EU) No 575/2013 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 banking institutions have to estimate the probability of default of payment by using long-term averages of the annual default rate, based on a historical observation period of at least five years. In light of these obligations and the fact that banking institutions are among KSV 1870 Information GmbH's customers, the BVwG rejected the data subject's erasure request. The debts have only been fulfilled some two years ago (in 2018) - i.e. nowhere near the five-year period taken into account by the BVwG.

Comment[edit | edit source]

Note that the BVwG did not apply Regulation (EU) No 575/2013 on the data processing by the credit refrecence agency but merely took it into account when assessing the storage period of inolvency data by the redit refrecence agency.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Court
Federal Administrative Court
Decision date
28.07.2020
Business number
W211 2225136-1
Saying
W211 2225136-1/5E
In the name of the republic!
The Federal Administrative Court, by Judge Barbara SIMMA LL.M. as chairperson and the expert lay judge Margareta MAYER-HAINZ and the expert lay judge Dr. Ulrich E. ZELLENBERG as associate judge, rules on the appeal of XXXX, represented by Brand Rechtsanwälte GmbH, against the decision of the data protection authority of XXXX, no. XXXX. XXXX , in closed session:
A) 
The appeal is dismissed as unfounded. 
B)
The appeal is admissible pursuant to Art. 133 para. 4 B-VG.

Text

REASONS FOR DECISION:
I. Course of proceedings:
By data protection complaint of XXXX 2018, the complainant alleged a violation of the right to deletion. In summary, on XXXX 2018, he had requested the deletion of an entry relating to his insolvency in the database of KSV1870 Information GmbH (co-participating party), as the entry had been deleted from the edict file since XXXX 2018. The insolvency entry was present both in his personal profile and in the company profile of his company, XXXX GmbH. In a letter dated XXXX 2018, the other party informed him that it would not comply with the request for deletion. The correspondence between the complainant and the involved party that preceded the present complaint procedure was attached to the data protection complaint.
2 In its statement of XXXX 2018, the intervening party summarised that it was a credit reference agency and that it had a legitimate interest in providing information on creditworthiness. The processing of the complainant's data was necessary and appropriate to safeguard these interests. Information on a past inability to pay was relevant for the assessment of creditworthiness. Thus, a past inability to pay represented a de facto increase in risk when granting a loan. There were no overriding interests of the complainant. The deletion of insolvency data from the edict file did not in any way lead to an obligation to delete data for the party involved. The data protection complaint was therefore unfounded.
In his statement of XXXX 2019, the complainant then explained in summary - after hearing the parties on the results of the investigation procedure - that a case-by-case examination always had to be carried out when a request for cancellation was received; this was also the case law of the (former) Data Protection Commission. Such a case-by-case examination had not taken place in the present case. The data processed was no longer relevant for assessing his creditworthiness, as his financial circumstances had changed. Since 2016, he had again been active and successful as an entrepreneur. Due to the inadmissible data storage, he had already suffered damage, as he had not received any positive feedback on financing applications. 
In the contested decision of XXXX 2019, delivered electronically on XXXX 2019, the data protection complaint was dismissed as unfounded due to violation of the right to erasure. It was stated that the processing of data relevant to creditworthiness by a credit reference agency within the meaning of section 152 of the Trade, Commerce and Industry Regulation Act 1994 (GewO 1994) was covered by this provision, and that the lawfulness of the processing of these data did not therefore depend on the prior consent of a data subject. Since the exercise of this commercial activity is not conceivable in any meaningful way without collecting, storing and passing on the relevant data, it must also be assumed that in certain categories of cases the legislator considered a legitimate interest of these traders in the use of data on "credit relationships" to outweigh the interests of the persons concerned. The purpose of the data processing in the database of the other party would be to enable those enterprises to access the data which, in the context of their economic activity, would incur a credit risk, for example in the supply of their goods or services. The question that arose in the proceedings was how long payment experience data could still be stored by the other party before it was no longer necessary for the purposes of processing. Only if the personal data were still relevant to creditworthiness would there be a processing purpose pursuant to Article 5(1)(b) of the General Data Protection Regulation (GDPR). The database of the involved party showed that the payment plan had already been processed directly by the debtor on XXXX 2018 and that the deletion of the insolvency entry from the edict file had been approved by the competent district court on XXXX 2018. Although a repayment of 70% was to be considered comparatively high, it had to be taken into account that this claim, which had apparently existed since May 2012, had nevertheless only been repaid on a pro rata basis in mid-March 2018 and the deletion from the edict file had only been approved at the beginning of May 2018. There was thus a period of (slightly) less than three months between the payment of the claim on a pro rata basis and the request for deletion pursuant to Article 17 of the GDPR, and even less than one month between the deletion from the edict file and the request for deletion pursuant to Article 17 of the GDPR. Furthermore, it had to be assumed that the complainant could also have reasonably expected that, against the background of a mere quota-based fulfilment of the claim, his data would continue to be entered in creditworthiness databases for a period longer than three months after this fulfilment.
In his complaint of XXXX 2019, the complainant stated that his financial circumstances had changed fundamentally or improved since 2016, but that the insolvency entry still attested to his reduced creditworthiness. The data processed were therefore factually incorrect, as they did not reflect his current creditworthiness. The insolvency entry was outdated insofar as it referred to his economic situation at the time of the opening of the debt settlement proceedings in 2010 and the conclusion of the payment plan in 2012. The involved party should also have informed him in accordance with Article 13 of the GDPR when collecting his data, which it had failed to do. The balancing of interests carried out by the data protection authority in the context of Article 6(1)(f) of the GDPR also proved to be insufficiently substantiated and incorrect. Although there was a legitimate interest of the involved party to exercise its trade according to § 152 GewO 1994 in order to protect creditors, the worthiness of protection of its processed data was not reduced, as it was no longer public. Furthermore, the data would be made accessible to a large circle of persons and used by third parties as a decision-making aid for the conclusion of a transaction, which would have negative consequences for the complainant and hinder his economic advancement. Due to the age, the amount of the claims and the deletion from the edict file, he could not have expected that the data would be further processed by the co-participating party. Since the deletion of his data from the edict file, almost 18 months had passed. The rate of the payment plan confirmed in 2012 had been 70% and was to be considered comparatively high, and the creditors had waived a relatively small amount. A further processing of the data would therefore prove to be disproportionate in any case if the legal assessment was correct. Finally, it was explained that other credit agencies and creditor protection associations had also complied with the complainant's request for deletion, with copies of the correspondence with them being attached to the complaint.
By letter dated XXXX 2019, the authority concerned submitted the file.
II. the Federal Administrative Court considered:
1. findings:
The complainant was a debtor in debt settlement proceedings opened in 2010. A repayment rate of 70% was set in 2012 as part of a repayment plan, and this was met in mid-March 2018. 
By order of XXXX 2018 on file number XXXX, the district court responsible for the insolvency case granted the deletion of the complainant's entries from the insolvency file.
The co-participating party carries on the business of a credit reference agency pursuant to § 152 GewO 1994, within the scope of which it provides information on creditworthiness. 
The co-involved party continues to store the complainant's data with regard to the aforementioned debt settlement proceedings. The entry in this regard reads in part as follows:
"Insolvency
Insolvency proceedings no. XXXX 
Edict wording XXXX born XXXX
Opening of proceedings XXXX 
End of application period 2010- XXXX 
Procedure code XXXX 
Current status of proceedings since 2018- XXXX 
Status of proceedings: Payment plan was settled directly by the debtor
Court District Court XXXX 
Business number XXXX 
Administrator XXXX 
Administrator Address XXXX 
Liabilities according to the insolvency application 167,596.54 [EUR]".
The entry is stored both in the personal creditworthiness profile and in the creditworthiness profile of XXXX GmbH, of which the complainant is the sole shareholder. The name of the complainant is mentioned in the creditworthiness profile of XXXX GmbH.
The complainant sent the following letters, extracts of which are reproduced below, to the co-operating party on XXXX 2018 and XXXX 2018:
"Dear Ladies and Gentlemen,
As I saw today when retrieving my personal data and the company profile of XXXX GmbH (last revision on XXXX 2018!!!), I request them immediately (within one day) to delete the insolvency entry both in my personal profile and in the profile of XXXX GmbH. The entry has been deleted from the edict file since XXXX 2018.
Furthermore, you are liable to me or XXXX GmbH for the proper deletion of all your service providers and my or XXXX GmbH's possible claims for damages. […]“
"Dear Ladies and Gentlemen,
[…]
I hereby revoke - if I have ever given consent to do so - pursuant to DSGVO 2018 Art 6 and Art 9 the processing of my processing personal data with immediate effect and object pursuant to Art 21 to the processing of my personal data. […]“
2. assessment of evidence:
The findings result from the file in connection with the submissions of the parties and are undisputed.
3. legal assessment:
Re A)
1. legal bases:
The relevant provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (the General Data Protection Regulation), are:
Article 5 Principles for the processing of personal data 
(1) Personal data must 
(a) processed lawfully, fairly and in a manner comprehensible to the data subject ('lawfulness, fairness, transparency'); 
(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall not be considered incompatible with the original purposes in accordance with Article 89(1) ('purpose limitation'); 
(c) adequate and relevant to the purpose and limited to what is necessary for the purposes of the processing ('data minimisation'); 
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data which are inaccurate having regard to the purposes of their processing are erased or rectified without delay ('accuracy');
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed; personal data may be kept for longer periods insofar as the personal data are processed solely for archiving purposes in the public interest or for scientific and historical research purposes, or for statistical purposes as referred to in Article 89(1), subject to the implementation of appropriate technical and organisational measures required by this Regulation to protect the rights and freedoms of the data subject ('storage limitation'); 
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by appropriate technical and organisational measures ('integrity and confidentiality'); 
(2) The responsible person shall be responsible for compliance with paragraph 1 and shall be able to demonstrate such compliance ("accountability").
Article 6 Lawfulness of processing 
1. Processing shall be lawful only if at least one of the following conditions is met: 
(a) - (e) [...]
(f) processing is necessary for the purposes of the legitimate interests of the controller or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks. 
(2) - (4) […]
Article 17 Right to erasure ("right to be forgotten") 
1. The data subject shall have the right to obtain from the controller the erasure without delay of personal data concerning him or her, and the controller shall be obliged to erase personal data without delay where one of the following reasons applies: 
(a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed. 
(b) the data subject withdraws the consent on which the processing was based pursuant to Article 6(1)(a) or Article 9(2)(a) and there is no other legal basis for the processing. 
(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2). 
(d) the personal data have been processed unlawfully. 
(e) the erasure of the personal data is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject. 
(f) the personal data have been collected in relation to information society services offered in accordance with Article 8(1).
(2) […]
Article 21 Right of objection 
1. The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her carried out on the basis of Article 6(1)(e) or (f), including profiling based on those provisions. The controller shall no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
(2) – (6) […]
2. application of the legal bases to the present complaint: 
The subject matter of the complaint is whether the co-participating party has infringed the complainant's right to cancellation by not complying with his request for cancellation dated XXXX 2018.
The complainant considers that the decision of the data protection authority violates his subjective right to the deletion of personal data relating to him, because the party involved is required to delete information on his completed insolvency proceedings and settled claims. This cannot be upheld, as was also essentially stated by the Federal Administrative Court in its decision of 30 October 2019, W258 2216873-1/7E: 
Personal data must be deleted at the request of a data subject if, among other things, it is no longer necessary for the purposes for which it was collected or otherwise processed, if it was processed unlawfully or if the data subject has objected to its processing pursuant to Article 21(1) of the GDPR (Article 17(1)(a), (c)(1) and (d) of the GDPR). A request for erasure would therefore be opposed to a data use that is necessary and lawful and against which no effective objection has been raised. 
The processing of personal data is permissible if it is carried out - in compliance with the processing principles set out in Art. 5 of the GDPR - on the basis of one of the grounds for authorisation set out in Art. 6 of the GDPR. 
2.1 For compliance with the processing principles pursuant to Art. 5 GDPR: 
According to the processing principles under Art. 5 GDPR, personal data - where relevant to the procedure - must be collected for specified, explicit and legitimate purposes ("purpose limitation"), be adequate, relevant and limited to what is necessary for the purposes of the processing ("data minimisation"), be accurate and, where necessary, kept up to date ("accuracy") and be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed ("storage limitation"). 
The co-participating party carries on the business of credit reference agency pursuant to § 152 GewO. 
The tasks of traders as defined in § 152 GewO include the provision of information on the creditworthiness of companies and private individuals to third parties. This is to provide lenders with meaningful information about existing or potential borrowers, in particular about the way they have paid their debts so far (Riesz in Ennöckl/Raschauer/Wessely, GewO § 152 Rz 2). This is intended to enable lenders to determine the probability with which a lender will ultimately be satisfied on account of the claim and, if necessary, to forecast how many difficulties this will involve (Wendehorst, Was ist Bonität? Zum Begriff der "Kreditwürdigkeit" in § 7 VKrG, in Blaschek/Habersberger (eds.), Eines Kredites würdig? (2011) 22). A tendency to breach the contract - such as a lack of financial self-control or habitual delaying of payments until pressure to execute - can be predicted above all from past financial behaviour. Relevant here is past behaviour in breach of contract, which may have manifested itself in simple late payment, but also in legal proceedings up to execution proceedings or even in the opening of insolvency proceedings (ibid. 23; cf. also Heinrich, Bonitätsprüfung im Verbraucherkreditrecht (Vienna 2014) 89 f). 
In the course of operating the credit reference agency business, the co-operating party processes historical information on defaults and insolvency proceedings of the complainant in order to make it available to (potential) creditors so that they can determine the risk of any defaults. 
This is a defined, unambiguous purpose recognised by the legal system (§ 152 GewO). Contrary to the complainant's argument, the data are also correct and complete, indicate the settlement of the payment plan and correctly reflect the data on the bankruptcy (e.g. opening of proceedings, court, reference number, etc.). They are also in principle necessary and suitable for making a forecast about his future payment behaviour (see also ECJ 23.11.2006, Rs C-238/05 para 47, according to which systems for the exchange of information between financial institutions concerning the solvency of customers improve the predictability of the probability of repayment, which is why they are in principle suitable for reducing the default rate of borrowers and thus increasing the efficiency of the credit offer). 
What is in dispute is how long such data may be processed. The complainant argues that the data processed about him by the other party is no longer suitable for assessing his creditworthiness due to his age, and that it only serves to prevent his participation in economic life; he thus claims a violation of the principles of "data minimisation" and "storage limitation", and that the balancing of interests to be carried out pursuant to Article 6 (1) (f) of the GDPR would (now) be in his favour.
2.2 On the permissible retention period of data on historical insolvencies and defaults:
Neither the GDPR nor the trade regulations on the credit bureau trade (§ 152 GewO) contain specific time limits on the permissible storage period of historical insolvency proceedings and payment defaults. How long these data may be processed in each case therefore depends fundamentally on the individual case. 
Even though historical payment information is essential for predicting the future payment behaviour of (potential) debtors, it is all the less meaningful the longer it dates back and the longer there have been no further payment stagnations or defaults. The age of the debt or the time when the final default of the debt was determined, the time of any repayments and the "good conduct" of the debtor since then are therefore of decisive importance in the assessment. 
As a guideline for how long creditworthiness data is suitable for assessing the creditworthiness of (potential) debtors, observation or deletion periods can be used in legal provisions that serve to protect creditors or specify the requirements for a suitable creditworthiness assessment in more detail. 
Such provisions can be found in Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 646/2012 ("Capital Adequacy Regulation"), which requires credit institutions, among other things, to value their clients and assess various risks of their exposures. For credit and retail exposures to natural persons, credit institutions that are allowed to calculate their risk-weighted exposure amounts using an approach based on internal assessments (Art. 143 para. 1 leg. cit.) must, pursuant to Art. 151 para. 6 in conjunction with 180 para. 2 lit. a and e leg. cit. cit., the probability of default (PD) of the exposure must be estimated, inter alia, on the basis of the long-term averages of the annual default rate; this must be based on a historical observation period of at least five years for at least one data source, which may also be external. The estimate of the loss given default (LGD) must also be based on a minimum observation period of five years in accordance with Art. 151 para. 7 in conjunction with 181 para. 2 lit. c leg. cit., the loss given default (LGD) must be based on a period of at least five years.
The (EU) legislator therefore assumes that data on any payment defaults over a period of at least five years are relevant for assessing the creditworthiness of (potential) debtors or the risk of a claim. 
If credit institutions as potential business partners of the co-participating party are in part legally obliged to assess their claims on the basis of the default rates of at least the last five years, and if, as here, the creditworthiness database of the co-participating party is also to serve to provide credit institutions with data that they need for their in part obligatory assessment, it cannot be recognised as a violation of the principle of data minimisation or storage limitation if the co-participating party processes data on an insolvency of the complainant. obligatory assessment, it cannot be recognised as a breach of the principle of data minimisation or storage limitation if the co-participating party processes data on an insolvency of the complainant if the payment plan had only been fulfilled less than three months ago at the time of the request for cancellation on XXXX 2018, or just over two years ago at the present time of decision, namely in mid-March 2018. This also applies to claims that have already defaulted more than five years ago, but were only finally repaid through the fulfilment of the payment plan less than three months ago, as in this case, or a little more than two years ago. The actual amount of the default can only be determined after the payment plan has (possibly not) been successfully fulfilled.
2.3 On the basis of Article 6(1)(f) of the GDPR: 
The processing of personal data is permissible, inter alia, pursuant to Art. 6 (1) lit f DSGVO, if it is necessary for the protection of legitimate interests of the controller(s) or a third party, unless the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data override such interests. A case-by-case balancing of interests must be carried out, in which the legitimate interests of the controller(s) or a third party for the processing must be set against the interests or fundamental rights and freedoms of the data subject which require the protection of personal data (for the comparable predecessor provision of Art. 7 lit. f Data Protection Directive 95/46/EC, see ECJ 04.05.2017, C-13/16, Rīgas satiksme, para 31). The interests of the controller and third parties (possible business partners of the involved party) as well as the interests, rights and expectations of the data subject must be taken into account (Recital 47 of the GDPR). 
As soon as contracts contain a credit risk, the involved party and its customers have a comprehensible interest of the crediting contractual partners to assess this risk. The processing of data on historical insolvencies and defaults is carried out to protect potential contractual partners of the data subject who are third parties within the meaning of Art. 6(1)(f) of the GDPR (see also Schantz in Simitis, Hornung, Spiecker, Datenschutzrecht, Art. 6(1) Rz 133 f, 137). Thus, it also serves to support credit institutions in complying with the provisions of the Capital Adequacy Regulation, which provide for an observation period of at least five years with regard to the estimation of risk parameters. 
In contrast, data subjects have an interest in not being affected by disadvantages in economic life due to the processing. 
In sum, due to the interest of the contractual partners of the co-participating party in assessing credit risks, the observation of the historical payment behaviour of potential debtors is essential for this purpose, and against the background that the EU legislator considers it necessary to assess the risk of claims on the basis of an observation period of at least five years of past defaults, the processing of information on insolvency proceedings finally concluded a little more than two years ago through the fulfilment of a payment plan by the co-participating party is necessary. Since the final default rate of a claim is not known until the payment plan has been fulfilled, this also applies to claims that defaulted prior to this but were not repaid until the payment plan was fulfilled. 
The fact that the consequences of the processing have a negative impact on the complainant cannot substantially counteract the weighty interests of the party involved and its customers. Finally, the interests of data subjects, such as the complainant, in keeping their historical insolvency and non-payment data confidential in order to avoid disadvantages in economic life, do not outweigh this, at least not when, as here, the amount of the liabilities in the insolvency proceedings is also approximately EUR 215,000.
Insofar as the complainant repeatedly complains that the data would be made available to a large group of people, it must be pointed out that the party involved makes its services available to members against payment of a fee. It must therefore be assumed that the general public is limited, but it is precisely this public that has an interest in a credit check that must be taken into account. 
2.4 On the relevance of deletion periods from the insolvency file: 
The complainant's argument that the co-participating party had to delete the complainant's creditworthiness data at the same time as deleting it from the insolvency file is also not to be accepted: 
The admissibility under data protection law of maintaining the insolvency file is based on Section 256 of the Insolvency Code, a legal obligation within the meaning of Article 6(1)(c) of the Regulation; the admissibility of a creditworthiness database, on the other hand, is based on the overriding legitimate interests of the controller(s) pursuant to Article 6(1)(f) of the Regulation (cf. OGH 30.01.2017, 6 Ob 178/16v, jusIT 2017/52, 117 (Bergauer), according to which a deletion under section 256 of the Insolvency Code does not affect a use of data that is based on a different legal basis; the decision issued under the Data Protection Act 2000 is also transferable to the legal situation under the GDPR due to the comparability of the permissible facts). It cannot be deduced from Section 256 of the Insolvency Code that data on insolvencies may no longer be processed (at all), i.e. on the basis of other grounds for authorisation under Article 6 of the GDPR, if they have been deleted from the insolvency file. Such a restriction would contradict EU secondary law - at least with regard to the relevant ground for authorisation under Art. 6(1)(f) of the GDPR (see ECJ 24.11.2011, C-468/10 and C-469/10, ASNEF/FECEMD, para 48 f, according to which national provisions that require, for the processing of personal data, in addition to the foreseen balancing of interests, that these data are contained in publicly accessible sources, are contrary to Art. 7 lit f Data Protection Directive 95/46/EC, which essentially corresponds to Art. 6 (1) lit f GDPR).
2.5 On the complainant's objection to the use of his or her data: 
Nor can the objection raised by the complainant against the use of his/her data to the co-operating party under Article 21 GDPR justify the erasure of the personal data concerning him/her. Thus, in the objection, the data subject has to make a submission on his/her special situation; it has to be stated in what way a processing of the data, which in itself, as in this case, is based on the permissible element of "safeguarding the legitimate interests of the controller or a third party" pursuant to Art. 6 (1) lit f DSGVO, should nevertheless not be permissible due to a special situation (see also Haidinger in Knyrim, DatKomm Art. 21 DSGVO Rz 19). 
It should be noted that in his letter of request of XXXX 2018, the complainant did not explain why a special situation in the sense described above should exist in his case. The opposition was therefore ineffective for this reason alone. 
If, in the course of the further proceedings, the complainant claims that the data stored about him are old and incomplete, since he has been successfully active in business again since 2016, and that these old data are only capable of hindering him in his economic advancement and causing damage, as well as that the storage proves to be unlawful or disproportionate, he claims a violation of the general processing principles under Article 5 of the GDPR, namely data minimisation and data economy, and a defective balancing of interests within the framework of Article 5 of the GDPR. disproportionate, he alleges a breach of the general processing principles under Article 5 of the GDPR, namely data minimisation and data economy, and a defective balancing of interests under Article 6 of the GDPR, but no grounds arising from a specific situation concerning him. 
2.6 The processing of data on historical insolvencies and defaults of the complainant by the co-operating party is therefore necessary and lawful; an objection to the processing was not successfully raised. The complainant's request for erasure therefore comes to nothing in this regard, which is why the data protection authority was right to dismiss the complainant's data protection complaint.
2.7 In his reply of XXXX 2019, as well as in the complaint of XXXX 2019, the complainant also argued that he had not been comprehensively informed by the co-operating party about the intended processing of personal data, as provided for in Art. 13 GDPR. The discerning senate sees this as a fundamentally separate grievance from the original request for erasure from the complaint of XXXX 2018, which was not dealt with in the contested decision and thus has not yet been decided by the data protection authority. 
It is not overlooked that according to the decision of XXXX 2019, "the complaint" was dismissed as unfounded. However, as the subject matter of the complaint, the data protection authority further states that, based on the submissions of the complainant, the subject matter of the complaint is the question of whether the respondent [the now co-participating party] violated the complainant's right to erasure by not complying with his request for erasure of XXXX 2018 until the conclusion of the proceedings. Neither in the following statement of facts nor in the legal submissions was the complaint regarding the information obligations under Art. 13 GDPR addressed. 
Accordingly, the point of complaint regarding the information obligations pursuant to Art. 13 of the GDPR is not to be considered as covered and decided by the contested decision, but as still pending before the data protection authority and is thus not covered by the subject matter of the complaint. 
3) Since only legal questions were to be clarified in the proceedings, the holding of an oral hearing - which was not requested - could be waived pursuant to section 24(4) VwGVG (VwGH, 19.09.2017, Ra 2017/01/0276). 
Re B) Admissibility of the appeal:
Pursuant to § 25a para 1 VwGG, the administrative court shall state in the ruling of its decision or order whether the appeal is admissible pursuant to Art. 133 para 4 B-VG. The decision shall be briefly substantiated.
The appeal is admissible because the legal issues to be resolved are of fundamental importance within the meaning of Art. 133 (4) B-VG. It is true that the question of how long data may be used in compliance with the processing principles of Art. 5 of the GDPR and the weighing of interests pursuant to Art. 6(1)(f) of the GDPR is, in principle, a non-reversible individual decision. However, there is no case law of the Administrative Court on the question of which principles such a balancing of interests must comply with; in particular, whether and under which conditions the provisions of the Capital Adequacy Regulation can be used as a guideline for determining the permissible storage period of creditworthiness data.
Therefore, the decision had to be in accordance with the ruling. 
European Case Law Identifier
ECLI:AT:BVWG:2020:W211.2225136.1.00