BVwG - W211 2234354-1

From GDPRhub
BVwG - W211 2234354-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 15 GDPR
Article 22 GDPR
Decided: 22.12.2021
Published: 18.01.2022
National Case Number/Name: W211 2234354-1
European Case Law Identifier: ECLI:AT:BVWG:2021:W211.2234354.1.00
Appeal from: DSB (Austria)
Appeal to: Unknown
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in German)
Initial Contributor: n/a

The Federal Administrative Court suspended a case on access under Article 15(1)(h) GDPR until the CJEU has decided on a request for preliminary ruling regarding the question if a credit score qualifies a as decision under Article 22 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The data subject had requested access under Article 15 GDPR from the controller (a credit reference agency). The controller replied on the request but provided only very superficial information about the processing logic involved and the significance and the envisaged consequences for the data subject (Article 15(1)(h) GDPR). In particular, it remained unclear to the data subject as to how the controller had calculated certain credit scores. Consequently, the data subject lodged a complaint with the Austrian Data Protection Authority (Datenschutzbehörde - DSB).

The DSB upheld the complaint and ordered the controller inter alia to provide the data subject with meaningful information about the logic involved in the creation of the credit scores, as well as the significance and the envisaged consequences of these scores for the data subject. The controller filed an appeal against this decision with the Federal Administrative Court (Bundesverwaltungsgericht - BVwG).

Holding[edit | edit source]

The BVwG did not decide on the appeal but suspended the procedure. It held that of the main questions of the procedure was, whether the calculation and disclosure of a credit score by a credit reference agency as such qualifies as a "decision, which produces legal effects concerning the data subject or similarly significantly affects the data subject" within the meaning of Article 22 GDPR. As the Verwaltungsgericht Wiesbaden had already requested the CJEU's preliminary ruling under Article 267 on that matter, the BVwG decided to wait for the CJEU's ruling before further trying the case.

Comment[edit | edit source]

It appears that the BVwG is of the opinion that Article 15(1)(h) GDPR only applies if a decision within the meaning of Article 22 GDPR has been taken. The DSB on the other hand frequently held, that Article 15(1)(h) GDPR is not limited to cases of Article 22 GDPR but also applies in other cases of purely automated processing, as Article 15(1)(h) GDPR uses the words"at least in those cases".

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Federal Administrative Court

decision date

business number
W211 2234354-1

W211 2234354-1/3E

The Federal Administrative Court decides through the judge Mag.a Barbara SIMMA LL.M. as chairperson and the expert lay judge Margareta MAYER-HAINZ and the expert lay judge Dr. Ulrich E. ZELLENBERG as assessor on the complaint of XXXX, represented by Diwok Hermann Petsche Rechtsanwälte LLP & Co KG, against clause 2. c) of the decision of the data protection authority of XXXX, line XXXX, in a data protection matter:
Pursuant to Section 17 VwGVG in conjunction with Section 38 AVG, the procedure is pending a preliminary ruling by the Court of Justice of the European Union on the decision of the Wiesbaden Administrative Court of October 1, 2021, Zl 6 K 788/20.WI, (pending at the ECJ under C-634/ 21) submitted question 1. suspended.
The revision is not permitted according to Art. 133 Para. 4 B-VG.

The Federal Administrative Court considered:
I. Findings:
1. In a letter dated XXXX 2019, the party involved (a private individual, idF "mP") submitted a request for information in accordance with Art. 15 General Data Protection Regulation (GDPR) to XXXX (now the complainant - idF "BF"). The BF answered the request for information with a letter dated XXXX 2019 and a supplementary letter dated XXXX 2019.
In a letter dated XXXX 2019, the mP lodged a complaint with the data protection authority (formerly “DSB”) about the incompleteness of the information. In summary, she argued, among other things, that the information provided by the BF contained no information on the different scoring in the areas of creditworthiness, solvency, willingness to pay, the risk factor, KKE factors, etc. The information was therefore incomplete in key points and only contained name and date of birth , address, date of incorporation and company address.
After being heard by the parties and a statement from the BF of XXXX 2019, the MP additionally submitted in letters dated XXXX 2019 and XXXX 2019 that her right to information was still violated, since it was not comprehensible how reliable information could be derived from the disclosed data creditworthiness and willingness to pay can be derived. It can therefore be assumed that BF also processes personal data relating to them. The question arises as to which personal data would be used to determine scoring values such as "571" or "581", which statements are associated with these values and what the implications are with regard to Art. 13 (2) lit. f and Art. 14 para. 2 lit. g GDPR are associated with it. The question also arises as to what the scores would relate to (creditworthiness or unwillingness to pay). In addition, it is unclear how the database products mentioned would differ with regard to the processing of personal data in terms of the logic involved and the consequences for the mP.
With the decision of the DSB of XXXX 2020, the complaint was partially granted and it was found that the BF had thereby violated the mP's right to information, in that the information from XXXX 2019 and the further information from XXXX 2019 were incomplete (point 1.). In point 2 of the ruling, the BF was instructed to give the mP within a period of four weeks, otherwise execution: a) sufficiently clear information with regard to the processing purposes, whereby in particular it was to be explained which specific data the mP processed for the purpose of exercising which trade b) the planned storage period for the creditworthiness scores transmitted to the recipients ("transmitted value") in the BF database together with the related information and c) meaningful information about the logic involved and the scope and intended effects of the mP relevant credit rating to give. The MP's application for the imposition of a fine against the Respondent was rejected (paragraph 3). Otherwise, the complaint was dismissed (point 4).
The DSB explained in point 2. c) that the BF cannot be understood as a processor within the meaning of Art. 4 Z 8 DSGVO, since it does not just process data on behalf of the respective customer, but processing independently of this in the context of exercising the Trade carried out according to § 152 GewO 1994, and the "score formula" is determined by the BF itself. The argument of the BF that the information transmitted to the querying company would only represent part of the decision-making process taking place at the company and that it was not an automated decision in individual cases is not convincing, since according to Art. 22 Para. 1 DSGVO for the If there is automated decision-making in an individual case, on the one hand a decision based exclusively on automated processing, including profiling, and on the other hand there must be an associated legal effect or other significant impairment. The first element is fulfilled, since the assessment of creditworthiness according to recital 71 first sentence GDPR is a case of profiling. The second element is also fulfilled, since the trade is carried out according to § 152 GewO 1994 with the intention of making the calculated creditworthiness values available to end customers who inquire against payment of a fee. The BF thus practices the trade mentioned in order to bring calculated credit ratings into commercial circulation. This calculation of creditworthiness is therefore an independent decision-making process, which takes place at BF and which, according to general experience, is associated with considerable impairments in economic life. If an end customer who obtains the credit report makes a certain decision on the basis of the calculated creditworthiness, for example by using the creditworthiness result as a basis for his economic decision without questioning it, this is a second independent decision-making process for the end customer.
If the BF pointed out in this context that the principle on which the calculation was based was a trade secret, it was to be countered that information could not be refused with a blanket reference to trade and company secrets, and any restrictions of the right to information would be assessed on a case-by-case basis and would have to be proportionate. Incidentally, no extensive mathematical explanations or detailed descriptions of how algorithms work are required, only information about the logic involved. However, this information would have to be meaningful enough for a data subject to be able to claim the other data subject rights, for example to be able to have a certain parameter relevant to the decision-making process corrected. However, mere general information about the parameters, as in the present case, would not do justice to this right to information, which is why the information should be completed accordingly.
The BF lodged a complaint against clause 2. c) of the decision of the DSB of XXXX 2020, in which it stated in summary that there was no right to information pursuant to Article 15 (1) lit. h GDPR against the BF because it did not exclusively make a decision based on automated processing within the meaning of Art. 22 (1) GDPR, the calculation of the creditworthiness by BF does not have any legal effects on those affected, nor does it significantly affect them in a similar way. Even if the facts of Art. 15 Para. 1 lit. h GDPR were fulfilled, the reason for refusing information would conflict with the endangerment of trade secrets. Even if one were to deny the existence of a reason for refusing information, the information had already been given sufficiently.
2. With its decision of October 1, 2021, Zl 6 K 788/20.WI, the Wiesbaden Administrative Court submitted the following questions to the Court of Justice of the European Union (ECJ) for a preliminary ruling, which are pending at the ECJ for Zl C-634/21:
"1. Is Art. 22 Para. 1 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of data and on the repeal of Directive 95/46/EC ( - DS-GVO -, OJ EU L No. 119 of May 4th, 2016, p Processing - including profiling - based decision, which has legal effect on the data subject or significantly affects them in a similar way, if this value determined using personal data of the data subject is transmitted by the person responsible to a third party responsible and that third party uses this value of his decision about the establishment, implementation or termination of a contractual relationship with the data subject is decisive?
2. If the first question referred is to be answered in the negative: Are Art. 6 (1) and Art Probability value - in this case about the solvency and willingness to pay of a natural person when including information about claims - about a specific future behavior of a natural person for the purpose of deciding on the establishment, implementation or termination of a contractual relationship with this person (scoring) is only permissible, if certain additional requirements, which are detailed in the statement of reasons for the submission, are met?"
2. Evidence assessment:
The statements to 1.1. result from the file situation, the request for a preliminary ruling under 1.2. of the Wiesbaden Administrative Court is available at, last accessed on December 15, 2021.
3. Legal assessment:
to A)
3.1. According to § 38 AVG, which according to § 17 VwGVG is also to be applied mutatis mutandis in administrative court proceedings, an authority can suspend proceedings until a final decision has been taken on preliminary questions that would have to be decided as main questions by other administrative authorities or by the courts, if the preliminary question already is the subject of pending proceedings before, inter alia, the competent court or such proceedings are pending at the same time.
3.2. A main question in this sense can also be a preliminary question in a preliminary ruling procedure pending before the ECJ. It entitles you to a suspension according to § 38 AVG if it is prior to the administrative court proceedings (cf. e.g. VwGH 13.12.2011, 2011/22/0316). A legal question is also prejudicial to a "merely" similar legal question, even if the same legal regulation of the same legislator is not affected (cf. recently VwGH September 13, 2017, Ra 2017/12/0068).
3.3. In the case pending before the BVwG, the BF's complaint is based on the premise that, as a credit rating agency, it does not make automated decisions in individual cases, including profiling, in the sense of Art. 22 Para. 1 - 4 DSGVO and therefore also complies with the corresponding information obligation of Art. 15 Para. 1 lit. h GDPR, which refers to Art. 22 GDPR.
3.4. In the decision of October 1, 2021, the Wiesbaden Administrative Court justified its question 1 in this context as follows:
"Applicability of Art. 22 Para. 1 DS-GVO to credit agencies
According to Art. 22 Para. 1 DS-GVO, a data subject has the right not to be subject to a decision based solely on automated processing - including profiling - which has a legal effect on them or significantly affects them in a similar way. The regulation is based on the previous regulation Art. 15 of the Directive 95/46/EG. According to its wording, it seems to be a right of the data subject that must be exercised. On the other hand, the referring court is convinced that the provision establishes a fundamental prohibition, the violation of which does not require an individual assertion.
Activities such as the disputed automated compilation of personal data - carried out by the summoned party - to determine a probability value for a specific future behavior of a natural person for the purpose of transmission to third parties for their decision on the establishment, implementation or termination of a contractual relationship with this person concerned are covered in any case according to the content of the activity under the regulatory regime of Art. 22 Para. 1 DS-GVO. According to its clear wording, the provision not only covers, but also, decisions that are made on the basis of profiling, see also recital 71 sentence 2. The latter is legally defined in Art. 4 No. 4 DS-GVO as any type of automated processing personal data, which consists in using this personal data to evaluate certain personal aspects relating to a natural person, in particular aspects relating to work performance, economic situation, health, personal preferences, interests, reliability, behavior, Analyze or predict the whereabouts or relocation of that natural person.
The creation of score values satisfies these defining characteristics. This is also supported by EG 71 p. 2, according to which profiling also includes the analysis or prognosis of aspects relating to the economic situation, reliability or behavior of a person. EG 71 S. 1 also mentions the automatic rejection of an online loan application as an example of decisions within the meaning of Art. 22 Para. 1 DS-GVO. In this respect, Art. 22 Para. 1 DS-GVO is generally applicable to cases like the one here, at least with regard to the fact that the creation of a score value is a sub-category of profiling within the meaning of Art. 4 No. 4 DS- represents GMOs.
In essence, the referring court considers it obvious that in cases such as the one at issue, the factual element of a decision based exclusively on automated processing, which is required by Art. 22 (1) GDPR, is also fulfilled. This does not conflict with the fact that, according to the above-mentioned statement, the main activity of credit agencies - such as the summoned party - the determination of score values should be a sub-category of profiling according to the recitals. It is true that the legislator apparently intended not to regulate the admissibility of profiling under data protection law independently through Art. 22 (1) DS-GVO, but to address profiling only insofar as it is part of a decision based on an automated decision. This is evident from the wording of the provision, which bases its ban on the decision based on profiling – or other automated data processing – but not on the profiling itself.
However, the court assumes that the creation of a score value by a credit agency is not just a profiling that prepares the decision of the third party responsible, but an independent "decision" within the meaning of Art. 22 Para. 1 DS-GVO.
In view of the wording of Art. 22 (1) GDPR, the court is aware that the provision can be understood and is also widely understood in a restrictive interpretation in such a way that it does not have any direct impact on the activities of credit agencies such as those summoned applies. In the opinion of the court, however, such an assumption is based on an incorrect understanding of the activities of credit reporting agencies and the influence of the score values they produce. Because the assumption is based on the idea that credit agencies do not make the decision relevant to Art. 22 Para They only prepare the final decision of the person responsible, so to speak, since when they transmit the score value they typically do not also make a recommendation to the third person responsible for or against a contractual agreement with the data subject.
In its provisions and recitals, the GDPR makes a conceptual differentiation between processing on the one hand and decisions based on processing on the other hand and does not intend to make any independent material specifications for profiling. Art. 4 No. 4 DS-GVO stipulates that profiling within the meaning of the DS-GVO is “any type of automated processing of personal data” “to evaluate certain personal aspects relating to a natural person”. The wording of the legal definition can therefore be understood to mean that profiling is not only the determination of the parameters for the evaluation result, but also includes the evaluation result. With regard to the present case, this could also include the automated compilation of the individual characteristics with the aim of subtracting an overall score value by a credit agency and actually determining it. Article 21 (1) sentence 1 GDPR could also be interpreted in the direction of such an understanding of the term, according to which the right of the data subject to object relates to any processing and, according to Clause 2, in particular to processing based on the provisions of the GDPR profiling. Ultimately, the differentiation between automated processing through profiling on the one hand and decision-making on the other hand emerges primarily from Art. 22 (1) GDPR. Since Art. 22 (1) GDPR stipulates that a data subject has the right "not to be subjected to a decision based solely on automated processing - including profiling", the provision explicitly establishes a causal link and a mandatory sequence in terms of time from automated processing (including profiling) and decisions based thereon. The intention of the legislature to distinguish between the two terms is also supported by recital 71 p. 1, 2. While Recital 71 Sentence 1 explains that the data subject should have the right not to be subject to a decision evaluating personal information concerning them that is based solely on automated processing, Recital 71 Sentence 2 supplements this assumption that "such processing" – consequently not among the “decisions” – also include profiling. As an example of a "decision", recital 71 sentence 1 names the automatic rejection of a loan application as an example, i.e. it addresses the local case constellation in rough outlines insofar as the negative decision of the credit institution towards the plaintiff is the relevant "decision", but not the creation of the score value by the summoned party. Ultimately, the wording of Art. 21 Para. 1 S. 1, 22 Para. 1 and 4 No. 4 DS-GVO and recital 71 S. 1, 2 and 72 can be understood to mean that case constellations such as those in the main proceedings are based lying, in which a credit agency determines a score value, constitutes "processing", but not a "decision" within the meaning of Art. 22 Para. 1 DS-GVO.
However, the referring court has considerable doubts about such a restrictive interpretation of Art. 22 (1) GDPR. It sees strong evidence that the automated creation of a score by credit agencies for the prognostic assessment of the economic performance of a data subject is an independent decision based on automated processing within the meaning of Article 22 (1) GDPR. In fact, the referring court bases its doubts on the importance of the score created by credit reporting agencies for the decision-making practice of third-party controllers and, legally, on the data set out in Art. 22 Para. 1 DS-GVO and the legal protection guarantees guaranteed in Art. 87 et seq. DS-GVO:
In fact, the court has serious reservations about the assumption that, if a score is available for a data subject, third parties would make the individual case decision required by Art. 22 (1) GDPR and not solely based on automation. Although, at least purely hypothetically, the third party responsible can make its own decision about whether and how to enter into a contractual relationship with the data subject, because at this stage of the decision-making process a human-controlled individual decision is in principle still possible, this decision is carried out to such a considerable extent in practice determines the score value transmitted by credit agencies, so that it has an impact on the decision of the third party responsible. To put it another way: Ultimately, the score value created by the credit agency on the basis of automated processing decides whether and how the contract is entered into between the third party responsible and the data subject. The third person responsible does not have to base his decision solely on the score value, but usually does so to a significant extent. Lending may be refused despite a fundamentally sufficient score value (for other reasons, such as the lack of collateral or doubts about the success of an investment to be financed), an insufficient score value, on the other hand, is at least in the area of consumer loans in almost everyone Fall and also lead to the refusal of a loan if, for example, an investment otherwise appears to be worthwhile. Experience from the official data protection supervisory authority shows that score values play a decisive role in lending and the design of their conditions (see LfDI BW, New brochure: Scoring - solid prognosis or lousy number?, https://www.baden-wuerttemberg. (as of September 30, 2021)).
However, Art. 22 (1) GDPR – subject to the exceptions in Art. 22 (2) GDPR – is intended to protect the person concerned from the dangers of this form of decision, which is based purely on automation. It is the concern of the legislator to prevent decision-making from taking place without individual assessment and evaluation by a human being. The person concerned should not be at the mercy of an exclusively technical and opaque process without being able to understand the underlying assumptions and assessment standards and, if necessary, to be able to intervene by exercising their rights. In addition to protection against discriminatory decisions based on supposedly objective data processing programs, the regulatory concern is also the creation of transparency and fairness in decision-making. Decisions about the exercise of individual freedoms should not be left unchecked to the logic of algorithms. Because algorithms work with correlations and probabilities that do not necessarily follow a causality and do not necessarily lead to "correct" results according to human insight. Rather, incorrect, unfair or discriminatory conclusions can be drawn from the systematization of correct individual data, which – if they are used as the basis for decision-making – significantly affect the freedom rights of the person concerned and degrade him from the subject to the object of a depersonalized decision. This is particularly true if the person concerned does not know about the use of algorithms or - if they do - cannot overlook which data, with what weight and through which analysis methods, flow into the decision. Precisely this concern of the legislator, to prescribe a human corrective for automated data processing in principle and to only allow breakthroughs in limited exceptional cases (Art. 22 Para. 2 DS-GVO), is counteracted, however, because the automatically created score value is fundamentally outstanding in the decision-making process of the third party responsible.
The legislator wanted to solve this basic conflict by means of the prohibition contained in Art. 22 Para. 1 DS-GVO "at the expense" of the third party responsible by starting with the (last) decision towards the data subject. In this respect, procedural requirements for profiling are only formulated in recital 71, sentence 6, which is relevant for profiling. Otherwise, the admissibility of data processing for the purpose of profiling results at best from the general processing facts of Art. 6 Para. 1 DSGVO. This follows both from Article 21 Paragraph 1 Sentence 1 Hs. 2 DS-GVO, which refers to Article 6 Paragraph 1 UA 1 lit. e and f DS-GVO as a possible legal basis for profiling, and from Recital 72 S 1, according to which profiling is subject to the provisions of the GDPR for the processing of personal data, i.e. also the legal basis for processing or the data protection principles.
As a result of these merely truncated requirements of the DS-GVO on profiling on the one hand and the basic postulate from Art. 22 Para. 1 DS-GVO on the other hand, the problem of effective legal enforcement by data subjects arises in particular. In addition to the supervisory control mechanism, it is the decisive legal enforcement mechanism of the GDPR. This is shown not only by the balanced and comprehensively regulated rights of complaint and action from Art. 87 et seq. GDPR, but also the accompanying rights of data subjects from Art. 12 et seq. GDPR. The aim of the GDPR is to enable and mobilize responsible citizens of the Union to enforce the law through appropriate provisions, in particular on the right to information and transparency requirements.
These rights are undermined by the interplay of activity and (lack of) obligations on the part of the credit agencies and the decision-making practice of the third parties responsible. The person concerned has a general right to information in accordance with Art. 15 GDPR; However, this does not do justice to the special features of profiling, which the GDPR seeks to address through Articles 15(1)(h), 21(1) sentence 1 clause 2, 22 GDPR. Because within the framework of the general right to information, the credit agencies are not obliged to disclose the logic and composition of the parameters decisive for the creation of the score value; they do not do this for reasons of competition protection, citing their trade and business secrets.
Even the third party responsible cannot provide the data subject with information about the creation of the score, on which his decision is based, because he does not know the logic involved; it is not disclosed to him by the credit agency.
This creates a gap in legal protection: Anyone from whom the information required for the data subject could be obtained is not obliged to provide information under Article 15 (1) (h) GDPR because they allegedly do not have their own "automated decision-making" within the meaning of Article 15(1)(h) GDPR, and those who base their decision-making on the automatically created score value and are obliged to provide information under Article 15(1)(h) GDPR cannot provide the required information because he doesn't have it.
If the creation of the score value by a credit agency falls within the scope of Art. 22 Para. 1 DS-GVO, this gap in legal protection is closed. Not only does the creation of score values fall under the prohibition of Art. 22 Para. 1 DS-GVO, so that they are based on exclusively automated processing only according to the exceptional circumstances of Art. 22 Para. 2 DS-GVO and thus the intention of the Union donor after at least regulatory containment of such decisions. Taking into account the opening clause of Article 22(2)(b) of the GDPR, this approach also enables the Member States to regulate in detail such decision-making processes that they were denied under the previous provisions of the GDPR on profiling and automated decision-making (see question referred). 2).
The gap in legal protection is also not sufficiently closed by the data subject's right to object pursuant to Art. 21 (1) Sentence 1 Hs. 2 DS-GVO. According to this, the data subject has the right, "for reasons arising from their particular situation, to object at any time to the processing of personal data relating to them, which is based on Article 6 Para. UA 1 lit. e or f; this also applies to profiling based on these provisions". However, in the case of credit reporting agencies, the data subject typically does not know that they have become the subject of an automated scoring process. She typically only finds out about this when a third party responsible has already made a decision that is disadvantageous to her, with reference to the score value. At this point in time, however, the right to object no longer helps her, at least with regard to the closed case; In this respect, they can only exercise their right to object to future data processing by the credit agency."
3.5. Question 1, which was submitted to the Court of Justice of the European Union by decision of the Wiesbaden Administrative Court of October 1, 2021, is similar to the legal question to be resolved in the present proceedings in the sense of the case law cited above; it is also prejudicial: Whether the creditworthiness values determined by a credit agency are to be regarded as automated decisions in individual cases within the meaning of Art. 22 Para. 1 - 4 DSGVO is decisive for the question of whether accordingly by the credit agency according to Art. 15 Para. 1 lit . h GDPR information is to be provided.
3.6. The suspension of the complaints procedure - with not just a procedural decision (cf. VwGH 20.12.2017, Ra 2017/12/0019) - until the preliminary decision by the ECJ on the decision of the Wiesbaden Administrative Court of 01.10.2021, Zl 6 K 788 /20.WI, (pending at the ECJ under C-634/21) submitted question 1 decided.
Re B) Inadmissibility of the revision:
Pursuant to § 25a Para. 1 VwGG, the administrative court has to pronounce in its ruling or decision whether the revision is admissible according to Art. 133 Para. 4 B-VG. The statement must be briefly justified.
According to Art. 133 Para. 4 B-VG, the revision is not permissible because the decision does not depend on the solution of a legal question that is of fundamental importance. With regard to the application of § 38 AVG, the adjudicating court was able to rely on a well-established case law of the Administrative Court, which was cited in each case. An assessment of a legal question pending before another court as prejudicial to the proceedings at hand – as here – within the framework of these principles established by the Administrative Court, is not reversible (cf. VwGH September 13, 2017, Ra 2017/12/0068).

European Case Law Identifier