BVwG - W214 2228164-1

From GDPRhub
BVwG - W214 2228164-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 4(1) GDPR
Article 4(2) GDPR
Article 5 GDPR
Article 6(1)(f) GDPR
Article 17 GDPR
§ 152 GewO 1994
§ 1 DSG
Decided: 21.04.2021
Published:
Parties:
National Case Number/Name: W214 2228164-1
European Case Law Identifier: ECLI:AT:BVWG:2021:W214.2228164.1.01
Appeal from: DSB (Austria)
DSB-D124.970/0004-DSB/2019
Appeal to:
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in German)
Initial Contributor: n/a

The Federal Administrative Court of Austria (BVwG) confirmed the standards for processing data for credit scoring purposes in light of Articles 5(1)(c), 5(1)(e) and 6(1)(f) GDPR and held that financial data may be stored for more than 5 years. This also applies to insolvency data, even if they are no longer allowed to be in the insolvency file under national law.

English Summary

Facts

Insolvency proceedings were pending against the data subject due to claims in the amount of approximately €500,000. The proceedings were suspended in July 2016 because a reorganisation plan was filed in bankruptcy. The data subject paid the payment plan in August 2016.

The controller is a credit scoring agency with a trade license according to § 152 of the Austrian Trade Regulation Act (GewO). It used the aforementioned financial data in its file on the basis of which his creditworthiness was assessed.

The controller rejected the data subject’s request to delete the financial data. Subsequently, the data subject filed a complaint before the Austrian DPA (DSB). The DSB decided that the right to be forgotten was not infringed and rejected the complaint.

The data subject has filed an administrative appeal against this decision.

Holding

The Austrian Federal Administrative Court (BVwG) ruled that the data subject was not entitled to deletion. Such a right did not arise from Article 17(1)(a), (c) or (d) GDPR.

In particular, this was justified by the fact that the processing operations at issue were in compliance with the principles of Article 5 GDPR and that they could be based on the legal basis of Article 6(1)(f) GDPR.

Compliance with Article 5 GDPR

The BVwG ruled that the principle of process limitation was respected. The assessment of creditworthiness by credit agencies is a defined and clear purpose recognised by the legal system. This can be derived from § 152 GewO. The data were also accurate and complete because the controller noted in its database that the reorganization plan filed in bankruptcy was handled immediately by the complainant. They were also fundamentally necessary and suitable in order to be able to make a prognosis about the future payment behaviour of the data subject.

The court focused on the issues “storage limitation” and “data minimization” and decided that those principles were followed as well. It ruled that data on financial defaults can be processed for up to 5 years according to existing case law. This was derived as follows:

There are no concrete deadlines in the GDPR or in § 152 GewO on the permissible duration of processing. A case-by-case decision is necessary. However, the court sets some standards. First of all, it clarifies that the respective data becomes less relevant the older it gets. The minimum period of five years is taken by the court in particular from Regulation (EU) No 575/2013 (Capital Requirements Regulation). According to this, credit institutions are obliged to carry out various risk assessments in relation to their clients. Thereby, they are obliged to refer to a period of at least five years. The court also took into account that the entry had been made not long ago and the fact that, according to the insolvency petition, the liabilities showed a substantial amount of approximately €500,000.

Lawfulness According to Article 6(1)(f) GDPR

The court ruled that interests especially of the controller's customers as third parties within the meaning of Article 6(1)(f) outweigh the interests of the data subject. The controller and their customers have a legitimate interest in assessing the credit risk of credit-receiving contractual partner. In addition, compliance with the obligation of credit institutions under the Capital Requirements Regulation is supported.

The data subject has an interest in not suffering any economic disadvantages

The third party interests prevail in the specific case. The court considered the following aspects in its decision:

  • Payment history is essential for credit risk assessment.
  • The Capital Requirements Regulation shows that the EU legislator considers a minimum observation period of five years to be necessary to assess the risk of receivables.
  • An important factor was that the proceedings were settled not too long ago.

The court ultimately held that recourse to Article 6(f) GDPR was not barred because of § 256 of the Austrian Insolvency Code (InsO). The permissibility of maintaining the insolvency file under data protection law is based on § 256 InsO, a legal obligation within the meaning of Article 6 (1) (c) of the Regulation, whereas the permissibility of maintaining a creditworthiness database is based on overriding legitimate interests of the controller pursuant to Article 6(1)(f) GDPR. However, it cannot be derived from § 256 InsO that data on insolvencies may no longer be processed (at all), i.e. on the basis of other grounds for permission under Article 6 GDPR, if they have been deleted from the insolvency file or have not been entered at all. Such a restriction would contradict EU secondary law - at least with regard to the relevant authorisation under Article 6(1)(f) of the GDPR.

Appeal Admissible

The court allowed an appeal regarding the aforementioned aspect. In principle, a non-reversible individual decision had been made on the processing duration with regard to financial data. However, there was no case law from the highest court on the principles that such a weighing of interests must satisfy. It is also unclear whether the Capital Adequacy Regulation can be used as a guideline.

Former Data Protection Commission Notices are Invalid

The controller also referred to notices issued by the Austrian data protection commission competent before the GDPR became effective. In these notices, certain data applications, in particular for credit agencies, had been "approved" subject to certain deletion periods. The court clarified that these decisions had become invalid due to the GDPR. In particular, they were not authorisations within the meaning of recital 171 of the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.