BVwG - W274 2232028-1/3E

From GDPRhub
BVwG - W274 2232028-1/3E
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 5 GDPR
Article 6 GDPR
Article 12 GDPR
Article 14 GDPR
Article 17 GDPR
Decided: 21.10.2020
Published: 13.01.2021
Parties: Datenschutzbehörde (Austrian Data Protection Authority)
data subject (unknown)
CRIF GmbH (respondent before the DSB)
National Case Number/Name: W274 2232028-1/3E
European Case Law Identifier: ECLI:AT:BVWG:2020:W274.2232028.1.00
Appeal from: DSB (Austria)
D124.926
Appeal to: Unknown
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in German)
Initial Contributor: n/a

The Austrian Federal Administrative Court rejected an appeal against a decision by the Austrian DPA: the failure to inform a data subject under Article 14 GDPR of a processing activity does not result in the general unlawfulness of said processing under Article 6. Furthermore, the BVwG again confirmed that Credit reference agencies may store data on payment defaults for five years after the debt has been cleared.

English Summary

Facts

In April 2019, the data subject sent an request for erasure of data on several payment defaults and some address data to the credit reference agency (CRA) CRIF GmbH because the debts had all been cleared. The CRA refused the erasure, stating that the data was still relevant for the purposes of assessing the data subject's creditworthiness.

In June 2019, the data subject lodged a complaint with the Austrian DPA (Datenschutzbehörde - DSB), stating that all debts still stored in the CRA's data base have been cleared and that several debts only concerned insignificant amounts.

The DSB rejected the complaint regarding the data on payment defaults but ordered the CRA to delete data on an old address of the data subject. The DSB held that the data on the payment defaults concern a total amount of more than EUR 3,000 and that none of the debts has been cleared more than 5 years ago. Under case law by the BVwG (see BVwG - W211 2225136-1), CRAs are allowed to store data on payment defaults or insolvencies for a five-year period after the clearance of the debt.

The data subject filed an appeal against this decision by the DSB. In this appeal he/she also argued (for the first) time, that the CRA had also violated Article 14 GDPR because the data subject had never been informed about the processing of his/her data. Hence, the data must also be deleted under Article 17(1)(d) GDPR.

Dispute

Was the CRA allowed to still store data on payment defaults after the debts have been cleared? If so, for how long?

Does the failure to inform the data subject under Article 14 GDPR result in the general unlawfulness of the processing and the obligation for the controller to delete the data under Article 17(1)(d) GDPR?

Holding

The BVwG rejected the appeal and fully upheld the decision by the DSB.

On the issue of storage duration of the data on payment defaults, the BVwG agreed with the DSB's reasoning and held that none of the data must be erased at the time of the decision. All the data stored could still be considered relevant for assessing the data subject's creditworthiness.

With regards to the non-information under Article 14 GDPR, the BVwG applied a "narrow concept" of lawfulness under Chapter II GDPR: The lawfulness of processing is only determined by Article 5 et seqq. GDPR. A violation of Article 13 or 14 GDPR can be fined under Article 83(5) GDPR but it does not affect the lawfulness of processing as such.

Comment

Please note, that the BVwG did not assess, whether a CRA is under the obligation to inform data subjects under Article 14 GDPR or can rely on one of the exceptions in Article 14(5) GDPR. This question was of no relevance for the case at hand as the failure of providing information would not have made the processing as such unlawful, according to the BVwG.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Court
Federal Administrative Court
Decision date
21.10.2020
Business number
W274 2232028-1
Saying
W274 2232028-1/3E
IN THE NAME OF THE REPUBLIC!
The Federal Administrative Court, by Judge Lughofer as Chairman and the expert lay judges Prof. KommR POLLIRER and Dr. GOGOLA as Associate Judges, rules on the appeal of XXXX , XXXX , represented by Dr. Bernhard Birek, lawyer, 4707 Schlüßlberg, against the decision of the data protection authority, Barichgasse 1030 Vienna, of 23 March 2020. Bernhard Birek, lawyer, Marktplatz 4, 4707 Schlüßlberg, against the decision of the data protection authority, Barichgasse 40 - 42, 1030 Vienna, of 23.03.2020, GZ D124.9262020-0186.779, co-participants XXXX , XXXX , on the grounds of infringement of the right to deletion, in closed session:
The appeal is not upheld.
The appeal is admissible pursuant to Art. 133 para. 4 B-VG. 

Text

Reasons for decision:
1.1 In a letter dated 25 April 2019, XXXX (hereinafter: complainant, BF), represented by a lawyer, contacted XXXX (hereinafter: co-participant, MB) requesting the deletion of data relating to him pursuant to Article 17(1)(a) of the GDPR. He stated that according to a current query, information about him was stored in the MB system. The arrears had been settled and full payment had been made. In view of the small amount of entries, the time that had passed in the meantime and the small number, further storage was no longer justified. 
1.2 In an email dated 16 May 2019, MB stated that it processes information in connection with creditworthiness (credit standing) within the scope of its business licence pursuant to section 152 of the Austrian Trade Regulation Act (credit agency on credit relationships). Payment history data and insolvency proceedings are important cases of information relevant to creditworthiness. The MB only receives information on negative payment experiences if there is a default in payment, the first two reminders by the creditor have been unsuccessful and a third reminder by a debt collection agency has also been unsuccessful and there is thus a continuing qualified default in payment. The numerous payment experiences in the case at hand constituted information relevant to creditworthiness, which is why the described legitimate interest existed in any case. Claims that had already been settled ("positively settled") also constituted data relevant to creditworthiness: The fact that a debt is only settled after a qualified reminder or collection by debt collection agencies or lawyers means at least a temporary default of payment and thus results in a credit risk with regard to future legal transactions. In order to provide a factually correct and complete picture of the creditworthiness-related data stored on a person and thus to comply with the principle of data accuracy pursuant to Article 5 (1) (d) of the GDPR, it is therefore important that claims that have already been paid remain in the MB's database. The MB only stores personal data as long as there is a legitimate purpose for the processing. The (meant) storage of the claims in question was still necessary for the purposes for which they were collected or processed. 
On the occasion of the letter, the MB had again checked and updated the payment experiences and was sending updated information. 
Already on 20.08.2018, the MB had sent a representation of the payment experience data stored with it concerning the BF, based on a request for information from the BF dated 03.08.2018. 
1.3 In a letter from a lawyer dated 11 June 2019, improved on 13 August 2019 after an order to remedy deficiencies, XXXX complained to the Data Protection Authority (DPA) (hereinafter: the authority concerned), claiming that, according to the information provided by the MB (meant), payment experience data and personal data were stored about him. The payment history data related to out-of-court debt collection between February 2014 and April 2017. Of the seven claims cited, only one exceeded the amount of EUR 1,000. Three amounts were less than EUR 100. In the meantime, all of the BF's outstanding claims had been settled and cleared. The MB also stored the BF's name, date of birth and address. The AA had learned of the processing of the data through the information of 20 August 2018. 
By letter dated 27.03.2019, the MB had been asked to delete the data it had collected due to full payment. 
This had been rejected on the grounds that the numerous payment experiences available represented information relevant to creditworthiness, which was why there was a legitimate interest in storing the data. The personal data was necessary in order to be able to process the data relevant to creditworthiness. If both older and recent payment experiences were available, the accumulation of these data would result in a statement relevant to creditworthiness, which would also provide the purpose and legal basis for processing older data. 
This approach did not comply with the legal basis. According to Article 17(1)(a) of the GDPR, personal data must be deleted as soon as they are no longer necessary for the purpose for which they were collected. The purpose for which the data had been collected had ceased to exist, as the BF had fulfilled all payment claims in full. Since the storage of data relevant to creditworthiness was already unlawful, it followed that the personal data could also no longer be stored. There was no statutory time limit on how long payment data could be stored in credit report files after the claim had been settled. The previous legal situation had provided for deletion after five years at the latest when the debt had been paid in full. Due to the changed legal situation since 25 May 2017, this deadline could no longer be maintained. According to the current assessment, a case-by-case assessment had to be made, taking into account all relevant circumstances. These circumstances were, in particular, the amount of the individual claims, the age, the number and the time that had elapsed since the payment of the claim, as well as the origin of the data. If these aspects were weighed against each other, only one claim exceeded EUR 1,000. The largest claim had already been closed on 14 June 2017. Two years had passed since then. The number of claims pursued, seven over a period of three years between 2014 and 2017, was also not to be classified as serious. Taking into account all the circumstances, the storage of the data for creditworthiness-related purposes was no longer necessary and unlawful. 
The appeal was timely because the BF only became aware of the refusal of cancellation in May 2019 and the one-year time limit had been met. 
The data protection authority wanted to establish the violation of the right to erasure pursuant to Art. 17 of the GDPR. 
Attached were a deletion request from the BF represented by a lawyer dated 25.04.2019, an email from the MB to the BF's legal representative dated 16.05.2019 and information from the MB to the BF dated 20.08.2018 (information pursuant to Art. 15 of the GDPR). 
1.4 Upon request, the MB submitted a statement dated 29.10.2019 to the authority concerned and requested that the complaint be dismissed. 
The MB first referred to its updated information enclosure 1 attached to the letter of 16 May 2019 to the BF, which showed that a claim contested in the complaint, operated by Actio Finanzdienstleistung GmbH in the amount of EUR 123.99, had already been deleted from the MB's database and was no longer being processed. 
The MC then explained its tasks as a credit reference agency and the related legal basis according to the GDPR and further explained that it was evident from the information of 20 August 2018 that the MC had processed seven negative payment experiences for the BA at that time, the correctness of which had not been disputed by the BA. One of these claims, amounting to 123.99 euros, had been positively settled and deleted in the meantime. Between 2014 and 2017, the MC had opened payment experiences against the BF and between 2015 and 2019 they had been closed (paid or written off). The claims against the BF have therefore remained unpaid for several months to several years. The claims at issue in the proceedings each amounted to between EUR 39.90 and 1,687.50 and totalled EUR 3,147.52 (excluding the claim already cancelled). At the time of the information of 15 May 2019, five of the six remaining claims had already been positively settled. 
The processing of this payment experience data was indispensable for the credit agency's requirements regarding credit relationships, the payment experience data was relevant to creditworthiness and had to remain in the MB's database. Article 5(1)(d) of the GDPR states the principle of data accuracy. This could only be the case if all correct available data relevant to the assessment of creditworthiness were processed. If the MB were to fully comply with the BF's request and delete all claims apparent in the information of 20 August 2018, this would result in a distorted and inaccurate picture of the BF's creditworthiness. Customers would then receive the information that no payment history data was stored on the AA, and the AA would thus receive the same credit rating as a person who had always paid his debts on time. This did not correspond to the facts. As can be seen from the information of 20 August 2018 and 15 May 2019, a large number of debts had only been settled by the applicant after several reminders and debt collection agencies. This had caused at least temporary financial damage to the creditors. Due to this defaulting payment behaviour, costly debt collection measures had to be taken. 
As stated by the authority, the number of claims collected by a debt collection agency was also a decisive factor in determining whether a claim could remain in the MB database. Due to the high number of such claims, even those which, viewed in isolation, might no longer be relevant to creditworthiness due to their amount or age, would have to remain in the database. 
The interest of the BF's potential contracting partners in advance outweighed his interest in secrecy regarding the payment experience data in question. In particular, the short time that had elapsed since the termination of the collection cases (the last case had only been positively settled about half a year ago), the amount of the payment experiences (in total EUR 3,147.52), the duration of the unadjusted liability as well as the combination of numerous (six or seven) collection cases had to be taken into account. The accumulation was of particular importance. 
The processing of the BF's data by the MB was therefore still necessary. The complaint should therefore be dismissed as unfounded or the proceedings should be discontinued. 
1.5 In the contested decision, the authority partially upheld the complaint and found that the MB had violated the applicant's right to deletion by not deleting the former residential address (historical registration date) "XXXX". The MB was ordered to delete this former residential address of the applicant within a period of four weeks (decision points 1. and 2.). For the rest, the complaint was dismissed as unfounded (decision point 3). 
The authority concerned established the following facts - as far as relevant for the appeal proceedings (decision point 3.): 
"The MB operates a trade pursuant to section 152 of the GewO 1994 as a credit reference agency. In this context, it has stored the following entries on the BF in its system since 15.05.2019 at the latest:
Payment experience data:
Opened	Closed	Capital claim	Open	Receivables status	Payment status	Origin of the information
20.02.2014	11.03.2019	567,11 €	0,00 €	Extrajudicial Collection	positively settled	XXXX 
30.11.2015	01.03.2019	39,90 €	0,00 €	Extrajudicial Collection	positively settled	XXXX 
13.10.2015	18.12.2017	39,90 €	39,90 €	Extrajudicial Collection	booked out	XXXX 
20.05.2016	09.08.2017	743,13 €	0,00 €	Debt collection by lawyer	positively settled	XXXX 
06.04.2017	14.06.2017	1.687,50 €	0,00 €	Extrajudicial Collection	positively settled	XXXX Limited liability company
13.07.2015	26.08.2015	69,98 €	0,00 €	Extrajudicial Collection	positively settled	XXXX 
						
…
The following payment experience date was already deleted by the respondent before the complaint was filed with the data protection authority: 
Opened	Closed	Capital claim	Open	Receivables status	Payment status	Origin of the information
15.06.2016	12.04.2017	123,99 €	0,00 €	Debt collection by lawyer	positively settled	XXXX 
						
The MB takes into account the age of a positively settled entry on a claim that existed in the past as part of the credit assessment carried out. The longer such an entry lies in the past, the more the probability of default calculated by the MB is reduced. 
…
In its legal assessment, the authority first presented its case law on the question of how long entries in databases of credit agencies may be stored. A uniform standard, from which a general time limit for deleting creditworthiness-related data from the database of a credit reference agency after the debts have been repaid, was not recognisable. Rather, an assessment of the individual case would appear to be necessary, taking into account all relevant circumstances, including the amount of the individual debts, their age, the number of debts collected by a debt collection agency and the time that had elapsed since the settlement of a debt. The origin of the data was also to be taken into account. Furthermore, with regard to the specific storage period of the payment experience data, reference should be made to the decision of the Federal Administrative Court of 30 October 2019 GZ W258 2216873, according to which observation or deletion periods in legal provisions that serve the protection of creditors or that specify the requirements for an appropriate assessment of creditworthiness can be used as a guideline as to how long creditworthiness data is suitable for assessing the creditworthiness of a potential debtor. Such provisions were found in the "Capital Adequacy Ordinance", in which credit institutions were obliged, among other things, to evaluate their customers and assess various risks of their claims. A historical observation period for a data source, which could also be external, of at least five years had to be taken as a basis. The estimate of the loss rate in the event of a default must also be based on a period of at least five years. 
The European legislator therefore assumes that data on any payment defaults over a period of at least five years are relevant for assessing the creditworthiness of a potential debtor or the risk of a claim. 
The AM processed six entries concerning payment experience data on the BF, which amounted to a total of 3,147.52 euros and had all been collected out of court or by a lawyer. Although the amounts involved were for the most part not too high (from EUR 39.90 to EUR 1,687.50), the aggregation of the claims made provided a significant statement about the AA's creditworthiness and payment behaviour. Even the settlement of a claim that was the longest in the past (EUR 69.98, positively settled on 26 August 2015) was within the period of five years mentioned. The most recent positive settlement was just over a year ago. 
The processing of the data subject of the proceedings was still necessary for the purpose of creditor protection within the meaning of Article 17(1)(a) of the GDPR. 
With regard to the claim that had already been cancelled by the MC before the complaint was filed, the complaint was not to be upheld for lack of an appeal. 
However, the continued processing of the BF's address mentioned in point 1 constituted a violation of the right to deletion, which is why the MA had to be instructed to comply with the BF's request pursuant to Section 58(2)(c) of the GDPR. 
1.6 The BF's appeal "on grounds of procedural error and incorrect legal assessment" is directed solely against item 3 of this decision, with the request - insofar as it is directed at the Administrative Court - that the decision be amended with regard to item 3 to the effect that all payment history data on the BF be deleted by the MC "on grounds of obsolescence and non-entitlement". 
1.7 The respondent authority submitted the complaint together with the administrative act in electronic form to the Federal Administrative Court on 29 May 2020, where it was received on 17 June 2020. The authority contested the complaint and added that the BF first raised a violation of Article 14 of the GDPR in the present appeal, which is why it could not have been the subject of the first-instance proceedings and the authority did not address it. Furthermore, it is not apparent from the BF's statements why a failure to provide information pursuant to Article 14 of the GDPR should lead to the existence of a reason for deletion pursuant to Article 17(1)(d) of the GDPR in this case, which is why the continued storage of the personal data was lawful.
The complaint is not justified:
2.1 The Administrative Court also bases its decision on the correspondence reproduced at the beginning of the reasons for its decision as well as on the above findings made by the authority concerned which are relevant and undisputed for the appeal proceedings. 
On the storage period:
2.2.1 In its complaint, the BF agrees with the argumentation of the prosecuting authority regarding the storage period of the data in question insofar as it refers to the criteria for an individual case assessment, amount, "age" and number of claims as well as the time that has elapsed since the settlement, as set out in the decision of 7 December 2018 DSB-D123.193/0003-DSB/2018. The BF then states that if the authority then refers to the decision of the Federal Administrative Court of 30.10. 2019 2216873 with regard to the specific storage period, this is not the case.2019 2216873, according to which a five-year period for assessing creditworthiness must be assumed, the authority deviates from its own assessment of individual cases, according to which it should also be avoided that those affected, who have regained a solid financial basis after the cancellation of debt settlement proceedings or after payment of their debts, would again have to struggle with difficulties regarding their creditworthiness in business due to negative entries. In its overall assessment, the authority had given too much weight to the fact that too much time had elapsed since the last payment of a debt in relation to the other circumstances described above. Only one claim exceeded the amount of EUR 1,000.00, the others ranged between EUR 39.90 and EUR 567.11 and could be considered minor. The largest claim had already been closed on 14 March 2017, i.e. more than two years ago. The total number of claims of seven in a period of three years between 2014 and 2017 was also not serious.
To this end, it must be stated:
2.2.2 Since the BF shares the legal basis of the argumentation of the authority concerned, insofar as it relates to the decision of 7 December 2018 GZ DSB-D123.193/0003-DSB/2018, a more detailed presentation can be dispensed with in this respect. 
2.2.3 Regarding W 258 2216873, the Federal Administrative Court (BVwG) in its decision of 30 October 2019, as far as relevant for the proceedings to be conducted here, dealt with the question of how long the storage of data on repaid debts by a credit agency can be lawful, also in compliance with the processing principles under Art 5 of the GDPR, "purpose limitation", "data minimisation", "accuracy" and "storage limitation". In doing so, it initially assumed that the permissible storage period depended on the individual case in the absence of specific time limits under the GDPR or the GewO, but that such payment information was all the less meaningful for future payment behaviour the longer it dated back and the longer there had been no further payment delays or defaults ("age of the claim" and "past good conduct"). Furthermore, the BVwG looked for observation and deletion periods in legal provisions that served to protect creditors as a guideline for the permissible storage period. The BVwG used the EU Capital Adequacy Regulation as such a provision, which obliges credit institutions to evaluate their customers and assess various risks of their claims. In doing so, credit institutions would have to use a historical observation period for at least one data source of at least five years for credit and retail claims vis-à-vis natural persons. However, if credit institutions, as potential business partners of the data subject, are legally obliged to assess their receivables on the basis of the default rates of at least the last five years, it is - according to the finding - not a violation of the principle of data minimisation and storage limitation if data on receivables that have temporarily or completely defaulted within this period are processed by a credit agency.
The aforementioned case law is therefore also based on the processing principles of data minimisation and storage limitation.
2.2.4 If the BF believes that only one claim exceeds the amount of EUR 1,000.00, the others range between EUR 39.90 and EUR 567.11, he does not start from the established facts - without questioning the findings of the prosecuting authority: The BF overlooks the fact that the "other" claims range between EUR 39.90 and EUR 743.13 (4th row of the table "payment experience data"). He also overlooks that the "largest claim" was not closed on 14.3.2017 but on 14.6.2017 (5th row of the table). Finally, he overlooks the fact that one of the claims, albeit a small one for EUR 39.90 from 13.10.2015, was not "settled" according to the uncontested findings, but merely "written off". 
In view of this, the BF has no justified reservations about the qualification of the temporary and, in one case, permanent defaults on payments totalling EUR 3,147.52 over a period of 2 years and 2 months, with the first claim having been settled slightly more than 5 years ago and the last claims (amounting to EUR 567.11 and EUR 39.90) only one and a half years ago, by the authority in such a way that the processing of the BF's payment experience data in this regard is still necessary. In this context, the BF may also be reminded that according to the findings, the last positively settled claim of EUR 567.11 - which cannot be qualified as a small claim - remained unpaid for more than 5 years, so that even the use of all criteria mentioned by the BF cannot lead to a different result overall. 
On the alleged breach of information duties: 
2.3.1 For the first time in the complaint, the AA argues that Art 14 GDPR was not addressed in any way in the procedure, as the AA was not informed in any way "about the conditions standardised in this article". The burden of proof for this lay with the MB. In any case, this would result in a claim for deletion under Article 17(1)(d) of the GDPR. Exceptions according to Article 17(3) of the GDPR had not been claimed by the MB, which had the burden of proof.
To this end, it must be stated:
2.3.2 Article 14 of the GDPR extensively regulates the obligation to provide information if the data is not collected from the data subject.
On the question of lawfulness of processing, it is discussed whether this principle of lawfulness only refers to whether a certain processing is lawful (narrow understanding), which is regulated in Art 6, or also concerns the circumstances of the processing, i.e. also refers to compliance with all requirements and obligations arising from the GDPR (broad understanding). The German version "auf rechtmäßig Weise" is used as an argument for a broad understanding, the English version "lawfully" as one for a narrow understanding. Even according to a broad understanding, however, processing is not considered unlawful simply because the controller does not fulfil all obligations of the GDPR, such as the information obligations according to Art 13ff. Such breaches of obligations can lead to the sanctions provided for this (Art 83f), not to unlawfulness of the processing per se (Hötzendorfer Tschohl Kastelitz in Knyrim, Datkomm Art 5 DSGVO, Rz 12, as of 1.10.2018, rdb.at). 
The question of whether the failure to provide the information could call into question the lawfulness of the data processing per se, i.e. whether the provision of the information is considered to be "justifying lawfulness", is therefore predominantly answered to the effect that lawfulness is determined according to Art 5ff and that the provision or failure to provide the information, since it is punishable, has no influence on the fundamental lawfulness of the processing (Illibauer in Knyrim, Datkomm Art 14 DSGVO, Rz 4, as of 1.10.2018, rdb.at). 
2.3.3 The allegation made for the first time in the complaint regarding a breach of the MB's duty to inform is unspecific ("not informed in any way about the conditions set out in Article 14"). The BA does not even begin to explain which duty of information it considers to have been violated by the MC. It is already clear from the letter from the BF's representative dated 25 April 2019, reproduced at the beginning of the grounds for the decision, that the BF was already informed about the data stored in the MB's system before the data protection complaint was lodged. Furthermore, there are no indications from the further correspondence that the AA did not agree with the information on his data stored by the MA with regard to content and completeness. 
However, since any violations of the duty to inform, as described above, can be sanctioned by fines and do not call into question the lawfulness of the data processing per se, the objection in this regard is irrelevant to the request for deletion, which is the only one at issue here. Therefore, neither a discussion (an oral hearing was not requested) nor a notification of the complaint to the MB pursuant to § 10 VwGVG was necessary.
2.4 Pursuant to § 24 (3) VwGVG, an oral hearing was not required because the relevant facts had been established, a hearing had not been requested and the new arguments (see 2.3. above) - irrespective of their lack of concreteness - could not legally lead to success for the BF in the proceedings for violation of the right to cancellation. 
On the admissibility of the appeal:
It is true that the question of how long data may be used in compliance with the processing principles of Article 5 of the GDPR and with a balancing of interests pursuant to Article 6 (1) (f) of the GDPR is in principle a non-reviewable individual decision. However, there is still no case law of the Administrative Court on the question of which principles such a balancing of interests must comply with; in particular, whether and under which conditions the provisions of the Capital Adequacy Regulation can be used as a guideline for determining the permissible storage period of creditworthiness data. 
The appeal is admissible insofar as legal questions of fundamental importance in the meaning of Art 133 (4) B-VG had to be resolved.
European Case Law Identifier
ECLI:AT:BVWG:2020:W274.2232028.1.00