BVwG - W256 2223741-1
|BVwG - W256 2223741-1|
|Relevant Law:||Article 5 GDPR|
Article 6(1)(f) GDPR
Article 17 GDPR
§ 152 Austrian Trade Regulation Act (Gewerbeordnung 1994 - GewO)
|Parties:||1) unknown data subject (complainant before the DSB)|
2) Austrian Credit Reference Agency (respondent before the DSB)
|National Case Number/Name:||W256 2223741-1|
|European Case Law Identifier:||ECLI:AT:BVWG:2022:W256.2223741.1.00|
|Appeal from:||DSB (Austria)|
|Original Source:||Rechtsinformationssystem des Bundes (RIS) (in German)|
The Federal Administrative Court held that a credit reference agency is allowed to collect data from the national public insolvency registry and process it for at least five years after the clearance of the underlying debts.
English Summary[edit | edit source]
Facts[edit | edit source]
In February 2019, an insolvency procedure was opened in relation to the data subject and published in the national insolvency registry (Insolvenzdatei). After the data subject had learned, that a credit reference agency (controller) had collected that data on him and was storing it in its creditworthiness database, he sent an erasure request under Article 17 GDPR to the controller, which refused to erase the data, arguing that it was allowed to process the data under Article 6(1)(f) GDPR.
Consequently, the data subject lodged a complaint with the Austrian Data Protection Authority (Datenschutzbehörde - DSB) against the controller. The DSB dismissed the complaint, holding that the controller has a legitimate interest under Article 6(1)(f) GDPR to collect and process data on insolvency procedures in order to assess the data subject's creditworthiness.
The data subject filed an appeal against that decision with the Federal Administrative Court (Bundesverwaltungsgericht - BVwG).
Holding[edit | edit source]
The BVwG dismissed the appeal and upheld the DSB's decision. It held that data on insolvency procedures are apt information to assess an individual's creditworthiness. The BVwG then referred to established BVwG case-law (see e.g. BVwG - W211 2225136-1, BVwG - W274 2232028-1/3E or BVwG - W214 2228164-1) according to which the rules of the Capital Requirements Regulation (Regulation 575/2013) should be taken into account when assessing the legitimate storage duration for data on payment defaults or insolvencies. As a result, the BVwG held that the controller is allowed to store data obtained from the Insolvenzdatei for a five-year period after the clearance of the underlying debts.
Comment[edit | edit source]
The decision falls in line with established BVwG case-law. Unfortunately, the BVwG did not take into account the VG Wiesbaden's request for a preliminary ruling (C-26/22) and moot the procedure until the CJEU's decision on that request. Should the CJEU decide that collecting data from public insolvency registries is unlawful or that is is lawful but the data must not be stored longer than publicly available, the controller in the case at hand will have to delete the data on the data subject's insolvency.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the German original. Please refer to the German original for more details.
decision date 04/11/2022 standard B-VG Art133 Para.4 GDPR Art5 DSGVO Art6 Abs1 litf Trade Regulations 1994 §152 saying W256 2223741-1/6E IN THE NAME OF THE REPUBLIC! The Federal Administrative Court has the judge Mag. Caroline Kimm as chairwoman, the expert lay judges Dr. Claudia Rosenmayr-Klemenz and Mag. Adriana Mandl as assessors on the complaint of XXXX, represented by Mag. Georg Luckmann, lawyer in 9020 Klagenfurt, against the decision of the data protection authority of July 29, 2019, GZ: DSB-D124-458/0007- DSB/2019 rightly recognised: A) The complaint is dismissed as unfounded. B) The revision is permissible in accordance with Art. 133 Para. 4 B-VG. text Reasons for decision: I. Procedure: In his complaint to the data protection authority of April 21, 2019, the complainant alleged a violation of his right to erasure under Art. 17 GDPR by the XXXX (interested party). He filed for personal bankruptcy in February 2019. On February 18, 2019, he sent an e-mail request for deletion - which is attached to the complaint - to the party involved. The party involved then informed the complainant that it was not possible to delete his data about the private bankruptcy. The complainant considers this answer incorrect. At the request of the authority concerned, the party involved informed the authority concerned in its statement of June 12, 2019 that although no specific insolvency data would be processed about the complainant, there was an indication of insolvency proceedings. This is done lawfully on the basis of Art 6 Para 1 lit f GDPR. The processing of this data to assess the creditworthiness is necessary for the person responsible and also serves to protect legitimate interests, because otherwise the trade according to § 152 GewO cannot be exercised unhindered. On the other hand, the economy that grants a loan as a "third party" also has a vital legitimate interest in being able to check the creditworthiness of loan applicants, and there is a legal obligation to do so, at least for financial institutions. In this respect, they have a legitimate interest in receiving information about the insolvency situation of the person concerned. In any case, the interest of the information seeker for a credit report far outweighs the interest of the complainant in having the insolvency notice deleted, not least because this information from the edict file is available to everyone, even those who can claim no legal interest at all. be available. Ultimately, it should be noted that the complainant did not show any other or even special circumstances that could have been taken into account in the course of examining his request for deletion. In this regard, the complainant stated in his statement of July 8, 2019, during the hearing of the parties, that it was correct that debt settlement proceedings had been conducted against him for number XXXX by the district court XXXX and that these proceedings had been canceled after the payment plan had been accepted by decision of July 1, 2019 . Unconditional claims totaling EUR 1,510,051.12 and a conditional claim totaling EUR 200,000.00 were established. However, for the assessment of the facts in question and in particular the question of the extent to which storage of the reference to insolvency proceedings is permissible, the fact is that all creditors involved in the debt settlement proceedings carried out by the complainant have claims based on the personal liability of the complainant for the insolvent and meanwhile deleted XXXX were registered. The complainant, on the other hand, had never personally taken out credit liabilities that he had not repaid. With the contested decision of the authority concerned, the complainant's complaint about a violation of the right to erasure was dismissed. The authority concerned stated that the insolvency file of the judiciary publicly noted that debt settlement proceedings had been opened on February 5, 2019, which had been lifted after the legally binding confirmation of a payment plan by decision of July 1, 2019. In the XXXX database operated by the party involved, there is a note on the complainant that the party involved has information about the complainant's insolvency proceedings. The processing of data relevant to creditworthiness by a credit agency within the meaning of Section 152 of the Industrial Code is covered by this provision and the legality of the processing of this data does not depend on the prior consent of a data subject. It can also be assumed that by anchoring this activity in law, the legislature assumes that this commercial activity is fundamentally permissible, so that there may be legal authority to process this data. Since the exercise of this commercial activity without the collection, storage and transfer of corresponding data is not reasonably conceivable, it must also be assumed that the legislature in certain case categories has a legitimate interest of these tradespeople in using data on "credit relationships" that overrides the interests of those affected have considered. In the absence of special rules for credit reporting agencies, the general principles of the GDPR apply, according to which, among other things, personal data may only be collected for specified, clear and legitimate purposes (Article 5 (1) (b) GDPR). In addition, since the information relating to the complainant's debt settlement procedure in the insolvency file is publicly available to everyone and the addition to the database also does not represent any added value about the complainant's person, the relevant authority does not see any reasons for the party involved to delete the data that is the subject of the procedure would oblige. The complainant lodged an appeal with the Federal Administrative Court against this decision. The authority concerned had completely ignored the fact that the complainant's creditworthiness was in no way restricted due to the circumstances prevailing in the insolvency proceedings, since it was not the complainant, but rather the GmbH who failed to meet their payment obligations. The fact that the complainant's creditors had wrested declarations of liability from him that were more than a threat to his existence was irrelevant to his own creditworthiness. Apart from that, processing by the party involved is otherwise not necessary. The mere fact that the data of the insolvency proceedings in the edict file is publicly accessible to everyone cannot justify the party involved being entitled to publish it. There is also no interest in further creditor protection, since everyone has the opportunity to inspect the edict file. The authority concerned submitted the complaint together with the procedural file to the Federal Administrative Court and submitted a counter-document. In the statement of May 20, 2021, the party involved essentially repeated its argument that processing of insolvency data is necessary to assess creditworthiness and also serves to protect legitimate interests, because otherwise the trade pursuant to Section 152 GewO could not be practiced unhindered. II. The Federal Administrative Court considered: 1. Findings: The party involved operates a credit agency, in the context of which it issues credit reports. On February 18, 2019, the complainant submitted a request for cancellation of his insolvency proceedings to the party involved, which was rejected with a reply from the party involved dated March 20, 2019. The involved party has stored the following relevant data about the complainant's insolvency proceedings, and it is noted in the XXXX of the involved party: "Credit data: We have no entries. In addition, we have information about insolvency proceedings.” The complainant's insolvency proceedings were opened by the court on February 5, 2019 and, after confirmation of a payment plan, were lifted by resolution in July 2019. 2. Evidence assessment: These (otherwise undisputed) findings result from the submissions made in the proceedings and the letters submitted therein. 3. Legal assessment: The complainant sees the decision of the relevant authority as aggravating because the reference to insolvency proceedings concerning him contained in the XXXX of the party involved is unlawful. However, the complainant is wrong: Personal data must be deleted at the request of the data subject, among other things, if they are no longer necessary for the purposes for which they were collected or otherwise processed, they were processed unlawfully or the data subject objects in accordance with Article 21 (1) GDPR against their processing (Art. 17 para. 1 lit. a, c 1st case and d GDPR). A request for deletion would therefore conflict with the use of data that is necessary and lawful and against which no effective objection has been raised. The processing of personal data is permitted if it is carried out - in compliance with the processing principles specified in Art. 5 GDPR - on the basis of one of the permissions specified in Art. 6 GDPR. to comply with the processing principles according to Art. 5 GDPR: According to the processing principles according to Art. 5 GDPR, personal data - insofar as relevant to the process - must be collected for specified, clear and legitimate purposes ("purpose limitation"), be appropriate and relevant to the purpose and limited to what is necessary for the purposes of processing ("data minimization" ), accurate and, where necessary, up-to-date ("accuracy") and stored in a form that allows identification of data subjects for no longer than is necessary for the purposes for which they are processed (" memory limitation"). The party involved runs the business of credit reporting according to § 152 GewO. The tasks of traders within the meaning of § 152 GewO include providing information on the creditworthiness of companies and private individuals to third parties. This should provide lenders with meaningful information about existing or potential borrowers, and in particular about the way in which they have paid their debts to date (Riesz in Ennöckl/Raschauer/Wessely, GewO § 152 Rz 2). This should enable lenders to determine the probability with which the lender will ultimately be satisfied because of his claim and, if necessary, the prognosis of how many difficulties this is associated with (Wendehorst, What is creditworthiness? On the concept of "creditworthiness" in § 7 VKrG, in Blaschek/Habersberger (editors), Worthy of a loan? (2011) 22). A tendency towards behavior contrary to the contract - such as a lack of financial self-control or habitual delaying of payments to the point of pressure for execution - can be predicted above all from financial behavior in the past. Relevant here is past breach of contract, which may have manifested itself in simple default of payment, but also in court proceedings up to execution acts or even in the opening of insolvency proceedings (loc. cit. 23; cf. also Heinrich, Credit assessment in consumer credit law (Vienna 2014) 89 f). In the course of conducting the credit reporting business, the intervening party processes, among other things, the complainant's bankruptcy notice in order to provide this information to creditors so that they can determine the risk of any payment defaults. This is a defined, unambiguous purpose recognized by the legal system (§ 152 GewO). Insolvency data are also fundamentally necessary and suitable in order to be able to make a forecast about the future payment behavior of the complainant (see also ECJ 23.11.2006, Case C-238/05 Rz 47, according to which systems for the exchange of information between financial institutions regarding the solvency of customers improve the predictability of the probability of repayment, which is why they are generally suitable for reducing the default rate of borrowers and thereby increasing the efficiency of the loan offer). The fact that the insolvency proceedings in question - as repeatedly criticized by the complainant in the proceedings - is (only) due to the complainant's personal liability for a company and not to himself does not change the fact that in this case too there was a payment default and in as a further consequence, court insolvency proceedings were instituted against the complainant. As a guide to how long creditworthiness data is suitable for assessing the creditworthiness of a (potential) debtor, observation or deletion periods in legal provisions that serve to protect creditors or specify the requirements for a suitable creditworthiness assessment in more detail can be used. In this context, reference is made to the case law of the Federal Administrative Court (W258 2216873-1/7E of October 30, 2019, W211 2225136-1/5E of July 28, 2020, W274 2232028-1/3E of October 21, 2020, W214 2228164-1 of April 21, 2021), according to which the provisions of Regulation (EU) No. 575/2013 of the European Parliament and of the Council of June 26, 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No. 646 serve as a guideline /2012 ("Capital Adequacy Ordinance") can be used. In these provisions, credit institutions are required, among other things, to evaluate their customers and assess various risks of their receivables. For credit and retail exposures to natural persons, credit institutions that are allowed to calculate their risk-weighted exposure amounts using an approach based on internal assessments (Art. 143 Para. 1 leg cit), pursuant to Art. 151 Para. 6 in conjunction with Art. 180 Para. 2 lit. a and e leg cit to estimate the probability of default of the receivable (PD) using, among other things, the long-term average of the annual default rate; a historical observation period of at least five years for at least one data source, which can also be external, is to be used as a basis. According to Article 151 (7) in conjunction with Article 181 (2) c leg cit, the estimate of the loss given default (LGD) to be carried out must also relate to a period of at least five years. The (EU) legislator therefore assumes that data on any payment defaults over a period of at least five years is relevant for the assessment of the creditworthiness of a (potential) debtor or the risk of a claim. If banks, as potential business partners of the party involved, are partially legally obliged to assess their claims based on the default rates of at least the last five years, and if - as here - the creditworthiness database of the party involved should also serve to provide banks with data that they can use for their partly require a mandatory assessment, it cannot be recognized as a violation of the principle of data minimization or storage limitation if the party involved processes a reference to insolvency proceedings being conducted against the complainant, which were only instituted in court in February 2019 and thus regardless of any interim proceedings at least less than 5 years ago. Permission according to Art. 6 Para. 1 lit. f GDPR: The processing of personal data is permitted, among other things, in accordance with Article 6 (1) (f) GDPR if it is necessary to protect the legitimate interests of the person responsible or a third party, provided that the interests or fundamental rights and freedoms of the data subject do not affect the protection of personal data require, prevail. A weighing of interests must be carried out on a case-by-case basis, in which the legitimate interests of the person responsible or a third party for the processing are to be compared with the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data (for the comparable previous provision of Art. 7 lit. f Data Protection Directive 95/46/EG cf. ECJ 04.05.2017, C-13/16, Rigas satiksme, margin no. 31). On the one hand, the interests of the person responsible and of third parties (possible business partners of the party involved) and on the other hand, the interests, rights and expectations of the data subject must be taken into account (Recital 47 GDPR). As soon as contracts contain a credit risk, the involved party and their customers have a comprehensible interest on the part of the crediting contractual partner in assessing this risk. The processing of data on insolvencies is carried out to protect potential contractual partners of the data subject who are third parties within the meaning of Article 6 (1) (f) GDPR (see also Schantz in Simitis, Hornung, Spiecker, data protection law, Article 6 (1) Rz 133 f, 137). It also serves to support banks in fulfilling the provisions of the Capital Adequacy Ordinance, which stipulate an observation period of at least five years with regard to the estimation of risk parameters. On the other hand, data subjects have an interest in not being affected by disadvantages in economic life due to the processing. In summary, it emerges that due to the interest of the contractual partners of the party involved in assessing credit risks, it is essential to observe the historical insolvencies of the potential debtor. The processing of information about insolvency proceedings, which in any case date back less than 5 years, is also necessary for the party involved against the background that the EU legislator deems it necessary to assess the risk of claims based on an observation period of at least five years of past payment defaults. The interests of affected persons, such as the complainant, in the secrecy of the data of his insolvency proceedings in order to avoid disadvantages in business life, do not prevail if the insolvency proceedings - as here - were less than 5 years ago. For these reasons, the storage of the data was and is justified. Based on the above, it follows that the storage of the data on the complainant's insolvency proceedings in the database of the intervening party is justified. The complainant's request for deletion is therefore in vain in this respect, which is why the relevant authority rightly rejected the complainant's (data protection) complaint. It was therefore to be decided by the Senate in accordance with the verdict. Pursuant to Section 24 (1) VwGVG, the administrative court must hold a public oral hearing upon application or, if it deems it necessary, ex officio. According to § 24 para. 4 VwGVG - unless otherwise provided by federal or state law - the administrative court can refrain from a hearing regardless of a party's application if the files indicate that the oral discussion does not give reason to expect any further clarification of the legal matter, and Neither Art. 6 Para. 1 ECHR nor Art. 47 CFR preclude the omission of the hearing. In the present case, no request for an oral hearing was made and the omission of an oral hearing could also be based on the fact that the facts of the case had been clarified from the file situation. The use of further evidence was not necessary to clarify the facts. In the present case, the Federal Administrative Court only has to rule on a legal issue (cf. ECtHR June 20, 2013, Appl. No. 24510/06, Abdulgadirov/AZE, margin nos. 34 et seq.). According to the case law of the Constitutional Court, an oral hearing can be omitted if the facts are undisputed and the legal question is not particularly complex (VfSlg. 17.597/2005; VfSlg. 17.855/2006; most recently VfGH 18.6.2012, B 155/12). It was therefore not necessary to conduct an oral hearing. on the admissibility of a revision: Pursuant to § 25a Para. 1 VwGG, the administrative court has to pronounce in its ruling or decision whether the revision is admissible according to Art. 133 Para. 4 B-VG. This statement needs a brief justification. The revision is admissible because legal issues had to be resolved which are of fundamental importance within the meaning of Art. 133 Para. 4 B-VG. It is true that the question of how long data may be used in compliance with the processing principles of Article 5 GDPR and with a weighing of interests in accordance with Article 6 Paragraph 1 lit. f GDPR is a fundamentally irreversible individual decision. However, there is a lack of case law from the Administrative Court on the question of which principles such a balancing of interests must satisfy; in particular whether and under what conditions the provisions of the Capital Adequacy Ordinance can be used as a guideline for determining the permissible storage period of creditworthiness data.