Difference between revisions of "OGH - 6Ob87/21v"

From GDPRhub
 
(8 intermediate revisions by 5 users not shown)
Line 16: Line 16:
  
 
|Date_Decided=23.06.2021
 
|Date_Decided=23.06.2021
|Date_Published=
+
|Date_Published=19.08.2021
 
|Year=2021
 
|Year=2021
  
Line 39: Line 39:
 
|Party_Link_5=
 
|Party_Link_5=
  
|Appeal_From_Body=Higher Regional Court
+
|Appeal_From_Body=
|Appeal_From_Case_Number_Name=GZ 12 R 89/20a-28
+
|Appeal_From_Case_Number_Name=12R89/20a-28
 
|Appeal_From_Status=
 
|Appeal_From_Status=
 
|Appeal_From_Link=
 
|Appeal_From_Link=
Line 52: Line 52:
 
}}
 
}}
  
The Austrian Supreme Court decided to reject an erasure request for about 3 years old data on unpaid invoices used by a credit scoring agency to determine the credit risk of the data subject. The court found no violation of the principle to storage limitation and that the interest of the data subject do not prevail the interests of the agency and related entities given the purpose and period of the data processed in the concrete case.
+
The Austrian Supreme Court rejected an erasure request by a data subject to delete approximately 3 years old data on unpaid invoices processed by a credit scoring agency for the purpose of creditworthiness assessments. The court found no violation of the principle of storage limitation or overriding interests of the data subject that would require the erasure of the data.
  
 
== English Summary ==
 
== English Summary ==
  
 
=== Facts ===
 
=== Facts ===
The credit scoring agency (the defendant) collected past payment data on the data subject (the plaintiff) in order to provide other parties with a credit score reflecting their risk of non-payment. In this regard, the defendant stored data on several unpaid online shopping invoices from 2017 and 2018 by the plaintiff. While the plaintiff caught up with the payments later on, the data on such invoices remained stored as “positively settled” for a ten years’ period in the defendant’s system.
+
The credit reference agency (the defendant) collected past payment data on the data subject (the plaintiff) in order to provide other parties with a credit score reflecting their risk of non-payment. In this regard, the defendant stored data on the plaintiff regarding several unpaid online shopping invoices from 2017 and 2018. While the plaintiff caught up with the payments later on, the data on such invoices are to remain stored as “positively settled” for a ten years’ period in the defendant’s system.
  
The plaintiff requested the defendant to delete all the payment data relating to them. They argued that there was no need for such data anymore since all entries have been positively settled. Moreover, the invoices amounts were insignificant and the plaintiff’s financial situation has improved considerably. The plaintiff argued therefore, that the incomplete and outdated data would unreasonably hinder their participation in economic life. According to the plaintiff, such impairments cannot be based on data that is up to ten years old.
+
The plaintiff requested the defendant to delete all the payment data relating to them. They argued that there was no further necessity to process such data since all entries have been positively settled. Moreover, the invoices amounts were insignificant and the plaintiff’s financial situation has improved considerably. The plaintiff argued therefore, that the incomplete and outdated data would unreasonably hinder their participation in economic life. According to the plaintiff, such impairments cannot be based on data that is up to ten years old.
  
 
The defendant argued that the processing the data was legitimate. The purpose of the data processing is to grant other companies access to such data, given their need to assess the payment behaviour of potential customers when entering into a credit risk. Deleting such data would distort the accurate representation of the plaintiff's creditworthiness. The interests of the defendant and related third parties would outweigh the plaintiff's interest in deletion.
 
The defendant argued that the processing the data was legitimate. The purpose of the data processing is to grant other companies access to such data, given their need to assess the payment behaviour of potential customers when entering into a credit risk. Deleting such data would distort the accurate representation of the plaintiff's creditworthiness. The interests of the defendant and related third parties would outweigh the plaintiff's interest in deletion.
 
=== Holding ===
 
=== Holding ===
The court decided, that the plaintiff's claim for erasure cannot be based on the ten-year storage period, since as part of an individual assessment, it may only examine the storage period in the particular case. Beginning with the first entry on unpaid invoices in 2017, therefore only an period of storage of approximately 3 years can be considered.
+
The Austrian Supreme Court (Oberster Gerichtshof - OGH) decided, that the plaintiff's claim for erasure cannot be based on the ten-year storage period, since as part of an individual assessment, it may only examine the storage period in the particular case. Beginning with the first entry on unpaid invoices in 2017, therefore only an period of storage of approximately 3 years can be considered.
  
In this regard, the court found that the plaintiff failed to counter the legal opinion of the previous judgements. Accordingly, it is precisely necessary to record payment experience data over a longer period of time in order determine trends and avoid snapshots. It is essential to ensure an objective, transparent and truthful information about customers’ ability and difficulty to pay, to minimize risks of third-party lenders.
+
In this regard, the OGH found that the plaintiff failed to provide convincing arguments against the legal opinion of the preceding lower courts' judgements. Accordingly, it is precisely necessary to record payment experience data over a longer period of time in order determine trends and avoid mere "snapshots". It is essential to ensure an objective, transparent and truthful information about customers’ ability and difficulty to pay, to minimize risks of third-party lenders.
  
The court upheld the opinion by the previous courts, that the overall effect of the stored information does not ultimately cut off the plaintiff’s participation in economic life. In fact, the data is still relevant for their creditworthiness and thereby still relevant to the credit scoring agency and related third parties. Accordingly, the court rejected the erasure request of the plaintiff, given that it found no violation of Article 5(1)(c)(e) GDPR and a prevailing legitimate interest of the defendant according to Article 6(f) GDPR.
+
The OGH upheld the opinion by the lower courts, that the overall effect of the stored information does not ultimately cut off the plaintiff’s participation in economic life. In fact, the data is still relevant for their creditworthiness and thereby still relevant to the credit scoring agency and related third parties. Accordingly, the OGH rejected the erasure request of the plaintiff, given that it found no violation of Article 5(1)(c)(e) GDPR and a prevailing legitimate interest of the defendant according to Article 6(f) GDPR.
  
 
== Comment ==
 
== Comment ==
''Share your comments here!''
+
It must be noted that the judgment is an '''obiter dictum''' to a large extent. The OGH declared that the question of the lawfulness of a 10 year storage period  is not relevant for the case at hand (see margin number 21 of the judgment:''"In the present case - as already stated - the question of the maximum permissible storage period can be left open because the plaintiff's data have only been stored for three years and this would in any case be permissible on the basis of the case law of the Federal Administrative Court.")'' Nevertheless, the OGH then extensively outlined its legal opinion on storage period of payment experience data ''("for the sake of completeness").''
  
 
== Further Resources ==
 
== Further Resources ==

Latest revision as of 10:12, 10 September 2021

OGH - 6Ob87/21v
Courts logo1.png
Court: OGH (Austria)
Jurisdiction: Austria
Relevant Law: Article 5(1)(c) GDPR
Article 5(1)(e) GDPR
Article 6(1)(f) GDPR
Decided: 23.06.2021
Published: 19.08.2021
Parties:
National Case Number/Name: 6Ob87/21v
European Case Law Identifier: ECLI:AT:OGH0002:2021:0060OB00087.21V.0623.000
Appeal from:
Appeal to: Not appealed
Original Language(s): German
Original Source: Federal Legal Information System (in German)
Initial Contributor: n/a

The Austrian Supreme Court rejected an erasure request by a data subject to delete approximately 3 years old data on unpaid invoices processed by a credit scoring agency for the purpose of creditworthiness assessments. The court found no violation of the principle of storage limitation or overriding interests of the data subject that would require the erasure of the data.

English Summary[edit | edit source]

Facts[edit | edit source]

The credit reference agency (the defendant) collected past payment data on the data subject (the plaintiff) in order to provide other parties with a credit score reflecting their risk of non-payment. In this regard, the defendant stored data on the plaintiff regarding several unpaid online shopping invoices from 2017 and 2018. While the plaintiff caught up with the payments later on, the data on such invoices are to remain stored as “positively settled” for a ten years’ period in the defendant’s system.

The plaintiff requested the defendant to delete all the payment data relating to them. They argued that there was no further necessity to process such data since all entries have been positively settled. Moreover, the invoices amounts were insignificant and the plaintiff’s financial situation has improved considerably. The plaintiff argued therefore, that the incomplete and outdated data would unreasonably hinder their participation in economic life. According to the plaintiff, such impairments cannot be based on data that is up to ten years old.

The defendant argued that the processing the data was legitimate. The purpose of the data processing is to grant other companies access to such data, given their need to assess the payment behaviour of potential customers when entering into a credit risk. Deleting such data would distort the accurate representation of the plaintiff's creditworthiness. The interests of the defendant and related third parties would outweigh the plaintiff's interest in deletion.

Holding[edit | edit source]

The Austrian Supreme Court (Oberster Gerichtshof - OGH) decided, that the plaintiff's claim for erasure cannot be based on the ten-year storage period, since as part of an individual assessment, it may only examine the storage period in the particular case. Beginning with the first entry on unpaid invoices in 2017, therefore only an period of storage of approximately 3 years can be considered.

In this regard, the OGH found that the plaintiff failed to provide convincing arguments against the legal opinion of the preceding lower courts' judgements. Accordingly, it is precisely necessary to record payment experience data over a longer period of time in order determine trends and avoid mere "snapshots". It is essential to ensure an objective, transparent and truthful information about customers’ ability and difficulty to pay, to minimize risks of third-party lenders.

The OGH upheld the opinion by the lower courts, that the overall effect of the stored information does not ultimately cut off the plaintiff’s participation in economic life. In fact, the data is still relevant for their creditworthiness and thereby still relevant to the credit scoring agency and related third parties. Accordingly, the OGH rejected the erasure request of the plaintiff, given that it found no violation of Article 5(1)(c)(e) GDPR and a prevailing legitimate interest of the defendant according to Article 6(f) GDPR.

Comment[edit | edit source]

It must be noted that the judgment is an obiter dictum to a large extent. The OGH declared that the question of the lawfulness of a 10 year storage period is not relevant for the case at hand (see margin number 21 of the judgment:"In the present case - as already stated - the question of the maximum permissible storage period can be left open because the plaintiff's data have only been stored for three years and this would in any case be permissible on the basis of the case law of the Federal Administrative Court.") Nevertheless, the OGH then extensively outlined its legal opinion on storage period of payment experience data ("for the sake of completeness").

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the German original. Please refer to the German original for more details.



court
Supreme Court


Decision date
June 23, 2021


Business number
6Ob87 / 21v


head
The Supreme Court, as a court of appeal by the Senate President Hon.-Prof. Dr. Gitschthaler as chairman, the court councilors Univ.-Prof. Dr. Kodek and Dr. Nowotny, the court councilor Dr. Faber and Hofrat Mag. Pertmayr as further judges in the case of the plaintiff M *****, represented by Mag. Bernhard Hofer, attorney in Vienna, against the defendant C ***** GmbH, **** *, represented by Pitzal / Cerny / Partner Rechtsanwälte OG in Vienna, because of data deletion, on the appeal by the plaintiff against the judgment of the Higher Regional Court of Vienna as an appeal court of February 15, 2021, GZ 12 R 89 / 20a-28, whereby the judgment of Regional Court for Civil Law Matters Vienna of August 20, 2020, GZ 6 Cg 2 / 20p-22, was confirmed, rightly recognized in a closed session:


Saying

The revision is not followed.
The plaintiff is owed to reimburse the defendant within 14 days for the costs of the appeal proceedings determined at EUR 833.88 (including EUR 138.98 VAT).


text
Reasons for the decision:
 [1] The defendant operates a credit agency within the meaning of § 152 GewO 1994. It collects and processes payment experience data that is automatically transmitted to it as a data record by debt collection companies and other companies. In a framework agreement, these companies have committed themselves to the defendant not to transmit payment history data until the creditor has given the debtor at least three unsuccessful warnings after the due date of the claim and then engaged a debt collection company, through which another unsuccessful warning has been issued. If the claims are disputed by the debtors, the defendant does not save these data records. If the claims are paid at a later point in time, the payment history data will remain stored; however, it is noted that the payment status is "positively done". Based on an algorithm used by the defendant, a numerical value ("score") is calculated from the stored data, which is intended to reflect the creditworthiness or probability of default of a person or a company. The number of negative payment history data, the amount of outstanding amounts, the period since the claim was recorded and the payment history of the person concerned / the company have an influence on the score according to the algorithm specified by the defendant, which is variable insofar as it is dependent improved or worsened from payment behavior over time. According to the defendant's deletion concept, payment experience data are generally deleted after ten years, regardless of the amount of the claim, and data from claims from telecommunications providers after five years.
 [2] The plaintiff concluded mobile phone contracts with two mobile phone operators in 2014 and 2015, but did not pay the invoice amounts of EUR 364.13 and EUR 1,452.19. A judicial assertion was preceded by out-of-court enforcement attempts. Orders for payment dated January 28 and February 18, 2015 as well as two execution permits were issued against the plaintiff. The enforcement proceedings were discontinued on May 28 and June 10, 2015 due to payments made. Due to the unsettled claims, the defendant was sent negative payment experience data relating to the plaintiff from the mobile phone providers, which she entered in her database and has since deleted. In 2017 and 2018, the plaintiff ordered goods from various companies via web shops. She failed to pay at least five bills, even though she had sufficient financial resources between April 2017 and July 2018 to settle these claims as agreed. She was then asked to pay by a debt collection company. After these requests were unsuccessful, the plaintiff was again requested in writing with five reminders to settle the outstanding claims. In each of these reminders there was a note that the payment experience data on undisputed and after the due date unpaid claims as well as address data were transmitted to the defendant for use within the scope of their trade license according to § 152 GewO 1994 (credit agency). The applicant was aware of this. It did not turn to the defendant to dispute the accuracy of the claim.
 [3] The claimant settled the claim of 101.37 EUR on December 11, 2018, the claim of 173.63 EUR on October 19, 2018, the claim of 105.70 EUR on May 18, 2018, the claim of EUR 82.89 on January 22, 2018 and the claim of EUR 45.40 on December 21, 2017. Due to the plaintiff's orders placed in 2017 and 2018 and the unsettled claims, the defendant received the following negative payment experience data submitted by the plaintiff and recorded in the defendant's database as follows:



Opened
Closed
Capital requirement
Open (EUR)
Claim status
Payment status
Origin d. information


June 25, 2018
December 11, 2018
101.37
0.00

out of court.
Operation


positive
completed

i ***** gmbh


03/11/2017
October 19, 2018
173.63
0.00

Operation by
Lawyer


positive
completed

i ***** gmbh


06/16/2017
May 18, 2018
105.70
0.00
out of court. Operation

positive
completed

i ***** gmbh


04/24/2017
01/22/2018
82.89
0.00
out of court. Operation

positive
completed

i ***** gmbh


08/15/2017
December 21, 2017
45.4
0.00
out of court. Operation

positive
completed

i ***** gmbh












 [4] For the plaintiff's earlier surname ("H *****"), the defendant had saved five historical registration data, the deletion of which the first court (legally binding) ordered.
 [5] The plaintiff's participation in economic life is restricted by the entries in the defendant's database, as in many areas (such as the Internet) it does not allow it to order on account, does not grant funding requests and refuses to accept mobile phone contracts. However, it is possible for the plaintiff to place orders against prior payment and to use prepaid mobile phones. The plaintiff is also granted bank loans together with her husband.
 [6] The plaintiff asks the defendant to delete all payment experience data - insofar as it is still relevant in the revision procedure - that it has stored about her. There is no longer any need for registration because all cases have been resolved positively and there are no more outstanding claims; Incidentally, the amounts involved are trivial. The plaintiff's financial situation has meanwhile improved considerably, which is why the outdated data are incomplete and give the impression that the plaintiff has poor payment behavior or payment difficulties. The dissemination of the data made access to economic life more expensive or impossible for the plaintiff. The impairment and thus the interest of the plaintiff in the deletion of the data is far greater than the interest of possible contractual partners, who anyway only have to fear minor losses.
 [7] The defendant objected that the data protection law basis for the processing of the data were legitimate interests of third parties according to Art 6 (1) (f) GDPR, the purpose of the data processing by the defendant was to enable those companies to access the data that were received upon delivery for their goods or services in advance and thus take a credit risk. It is essential for them to be able to assess the payment behavior of their potential contractual partners. If the defendant were to delete all claims, the customers viewing the defendant's database would get a distorted and incorrect picture of the plaintiff's creditworthiness. The data were processed for a legitimate purpose in accordance with Article 5 (1) (d) GDPR and lawfully in accordance with Article 6 (1) (f) GDPR and should remain in the defendant's database in this form; the interests of the defendant and their customers would in any case outweigh the interests of the plaintiff in the deletion.
 [8] The lower courts rejected the request for deletion with regard to the payment registration data. There are interests in the operation of a creditworthiness database in relation to the protection of creditors and the risk minimization of third-party lenders who are protected by the legal system, which is evident from § 152 GewO 1994, but also from § 7 VKrG and § 25a KSchG, which are related to the existence of such creditors Connect the register. The Court of Justice of the European Union (ECJ) had also recognized that creditworthiness databases are fundamentally suitable for reducing the inequality of information between creditors and debtors and the default rate of borrowers and thereby increasing the efficiency of the loan offer (see case C-238/05, Asnef-Equifax). The processing of creditworthiness-relevant data is therefore fundamentally necessary to safeguard the legitimate interests of the defendant and their customers, but also to protect the debtors themselves. In the weighing of the interests of the parties in dispute as well as the customers of the defendant, as required by Art 6 (1) lit f GDPR for the processing of identity and creditworthiness data, the amount of the individual claims, the date of entry of the claims in the database, the number the claims and the time that has elapsed since a claim was settled and in which the debtor has "behaved well" since then. Although the claims are all small here, they testify to a repeated default in payment by the plaintiff within one year. In the context of a risk assessment, the five stored payment history data sets would have a not inconsiderable informative value, which is why potential creditors of the plaintiff are to be accorded a high level of interest in the availability of this data. The improvement in the plaintiff's income situation does not allow the conclusion that there will be no further delay in payment. The interference in the plaintiff's lifestyle caused by the entry in the creditworthiness database was not serious and was also cushioned by the existence of the economic community with her spouse. The (general) duration of ten years until the deletion of payment history data provided for in the defendant's deletion concept is disproportionate to the purpose pursued; In concrete terms, however, it is only about the question of whether payment history data should be deleted that was added to the defendant's database three years ago at the latest. In view of the majority of the claims, this storage period is not unreasonably long.
 [9] The appellate court allowed the appeal because the case law of the Supreme Court on the storage period of creditworthiness data collected by credit agencies within the meaning of Section 152 GewO is lacking and this question goes beyond the present individual case for many people, whose data is processed in a creditworthiness database is important; the subject of the decision exceeds EUR 5,000.
 [10] In this regard, the Supreme Court has considered:


Legal assessment
 [11] It is true that a weighing of interests as to whether the storage period of data is proportionate or not can only be carried out in relation to the respective individual case. Apart from blatant misjudgments, this does not usually justify a significant legal question (RS0044088 [T8, T9]). However, the present case provides an opportunity to clarify the principles that apply here. The revision is therefore permissible; but it is not justified.
 [12] A. Deletion request and storage period (Art 5 Para 1 lit c and lit e GDPR)
 [13] 1.1. According to the findings, the defendant records personal data within the scope of the business of the credit agency according to § 152 GewO in the database it maintains within the meaning of Art 4 Z 1 GDPR, which is made available to it by other companies. Such data stored in the database are in turn made available to third parties for query.
 [14] The defendant's deletion concept provides for payment history data to be deleted after ten years (regardless of other criteria); Cellular data will be deleted after five years. There is no differentiation with regard to the amount of the claim or the claim status with regard to the duration of the storage of the payment history data. The passage of time is only taken into account with regard to the measurement of the so-called “score” - that is, the assessment of the creditworthiness of the person concerned. However, this only affects the risk assessment that is created on the basis of the processed data. However, the fact that other conclusions are drawn from the processed data due to the passage of time has no influence on the question of the legality of the storage duration of the data itself.
 [15] 1.2. In large parts of its legal remedies, the plaintiff takes a position on the deletion of creditworthiness data provided by the defendant's basic deletion concept only after ten years. With its considerations on the inadmissibility of such a long storage period, however, it is not able to point out a legal error by the appellate court because the relevant question - as already correctly recognized by the lower courts - is not at all relevant for the final legal assessment of the present case. The only thing to check here is whether the data processing has already become inadmissible at the end of the first instance hearing due to the passage of time since the first entry of a data record relating to the plaintiff in the defendant's database in spring 2017, because the processed personal data of the plaintiff is necessary for the fulfillment of the Purposes for which they were originally collected are no longer necessary. On the other hand, the claimant's right to erasure under Article 17 (1) GDPR cannot be based on the fact that the defendant's merely intended storage period of ten years in total would be inadmissible. The plaintiff's arguments aimed at this are therefore already in the beginning wrong.
 [16] 2. But also to the extent that the plaintiff, recognizable as being inadmissibly long from the first entry in the defendant's database to the end of the hearing at the first instance, has failed to do so, both in the methodological derivation as well as to counter the convincing legal opinion of the lower courts with valid legal considerations:
 [17] 2.1. The principle of storage limitation in Art 5 (1) lit f) specifies the principle of data minimization (lit c leg cit) with regard to the storage period. When storing personal data, the identification of the data subjects may only be possible for as long as is necessary for the purposes of the processing. With this principle of storage limitation, a time limit for the processing of personal data is standardized (Herbst in Kühling / Buchner, DS-GVO BDSG3 [2020] Art 5 Rz 64). It is therefore an expression of the principle of proportionality (Schantz in BeckOK data protection law Art 5 Rz 32).
 [18] 2.2. The deadline or the criteria according to which the time of deletion is determined must be limited to the minimum necessary for the processing purposes. The determination of the deadlines or criteria therefore usually requires a case-by-case consideration in which the necessity of storing data is assessed on the basis of the processing purposes (Hötzendorfer / Tschohl / Kastelitz in Knyrim, DatKomm Art 5 GDPR margin no. 49 f; see also Herbst in Kühling / Buchner, DS-GVO BDSG3 [2020] Art 17 margin no.17). How long the storage is permitted depends on the purpose and will vary considerably (Reimer in Sydow, European General Data Protection Regulation2 [2018] Art 5 Rz 39). According to Frenzel, the formulation creates pressure to justify the person responsible (Frenzel in Paal / Pauly, DS-GVO BDSG3 [2021] Art 5 Rz 43; to Schantz in BeckOK data protection law Art 5 Rz 32).
 [19] 2.3. In the context of this individual decision, the specific circumstances and purposes of the underlying relationship must be taken into account. According to the established case law of the Federal Administrative Court, historical payment information is less meaningful, the longer it is in the past and the longer there have been no further payment stoppages or defaults (BVwG W
2
58 2216873-1 on a similar case; confirmed by BVwG W274 22
3
2028-1). The age of the claim or the point in time at which the final default of the claim has been established, the point in time of any repayments and the debtor's "good conduct" since then are of decisive importance in the weighing up. As a guideline for how long creditworthiness data are suitable for assessing the creditworthiness of a (potential) debtor, observation or deletion periods in legal provisions can be used according to the Federal Administrative Court, which serve to protect creditors or specify the requirements for a suitable creditworthiness assessment.
 [20] 2.4. Such provisions can be found, for example, in the Capital Adequacy Ordinance (Regulation [EU] No. 575/2013), in which credit institutions are obliged, among other things, to assess their customers and assess the various risks of their claims. Here, the (EU) legislator assumes that data on possible payment defaults over a period of at least five years are relevant for assessing the creditworthiness of a (potential) debtor or the risk of a claim.
 [21] 3.1. In the present case - as already stated - the question of the maximum permissible storage period can be left open because the plaintiff's data have only been stored for three years and this would in any case be permissible on the basis of the case law of the Federal Administrative Court. For the sake of completeness, the following should be pointed out:
 [22] In the weighing of interests to be carried out in the context of the assessment of the storage period, the conflicting interests must be compared and weighed up. It must be weighed up how difficult the storage period encroaches on the person concerned and how essential the data is for the person responsible.
 [23] The defendant operates a credit agency within the meaning of § 152 GewO. This business field is logically dependent on the processing of payment history data. The tasks of these traders include providing information on the creditworthiness of companies and private individuals to third parties. On the one hand, this serves the economic interests of the credit agency and, on the other hand, also interests in relation to creditor protection and risk minimization of third parties.
 [24] 3.2. Based on the case law of the Federal Administrative Court, such data must be stored for at least five years in order to give the most meaningful possible picture of the creditworthiness of a possible debtor. Reference should be made to a decision by the data protection authority, according to which a general deletion of the creditworthiness-relevant data in creditworthiness databases only seven years after the repayment of the debt with regard to Art 6 Para 1 lit f GDPR and the changed legal situation (in this case § 256 IO) is in any case not proportionate ( D.
S.
B-D123.193 / 0003-DSB / 2018; Revision S 7). An appeal was filed against this decision on January 4, 2019, which is why it is not legally binding. A decision by the Federal Administrative Court is still pending - as far as can be seen.
 [25] 3.3. According to the plaintiff, what speaks against the ten-year storage period is that valid information cannot be based on data that is a decade old. In a modern, digitized and volatile labor market, such outdated data can not only lead to damage for the persons concerned, but also for potential creditors who would be deprived of an economically efficient business partner.
 [26] However, these arguments against an absolute storage period of ten years cannot outweigh the arguments for such a storage period. Rather, it is precisely necessary to record payment experience data over a long period of time in order to also be able to determine trends and avoid snapshots. It may be true that the (up to) ten-year period seems (subjectively) disadvantageous from the applicant's point of view, even if the data in the present case was not stored for that long. From the point of view of a debtor who pays all bills on time, a ten-year period is again an advantage. A sensible recipient of this data will also be able to assess this data. The first court rightly found that the “good conduct” of a debtor since the settlement has also been important in the weighing up.
 From the point of view of the entire industry, it is therefore essential to guarantee objective, transparent and, above all, truthful information about the solvency and difficulty of debtors. This is only possible if the data is stored for a certain (longer) period of time. Last but not least, in addition to the interests of the defendant, the storage primarily serves the interests of third parties (e.g. companies that take a credit risk when delivering their goods or services). A shorter storage period, on the other hand, would be suitable for conveying a distorted picture.
 [28] 3.4. It remains open which legal consequences the plaintiff will draw from her reference to the decision of the data protection authority of May 28, 2018, DSB-D216.580 / 0002-DSB / 2018, which are favorable for her. In this decision it was only stated that the unlimited storage of personal data violates the principle of storage limitation (DSB-D216.580 / 0002-DSB / 2018). Such is not the case here anyway.
 [29] B. Processing of data (Art 6 Para 1 lit f GDPR)
 [30] 4.1. Since the storage period does not violate Art 5 GDPR, based on Art 6 Para 1 lit f, the data processing following a weighing of the interests involved, as far as this is decided in favor of the person responsible (Frenzel in Paal / Pauly, GDPR BDSG3 [ 2021] Art 6 margin no.26). First of all, it should be noted that, according to the prevailing view, this provision is formulated very vaguely and could sometimes lead to legal uncertainty (Buchner / Petri in Kühling / Buchner, GDPR BDSG3 [2020] Art 6 Rz 142 ff; Reimer in Sydow, European General Data Protection Regulation2 [2018 ] Art 6 Rz 59; Kastelitz / Hötzendorfer / Tschohl in Knyrim, DatKomm Art 6 GDPR Rz 50).
 [31] 4.2. Art 6 para 1 lit f GDPR enables the processing of personal data in equal relationships among private individuals if it is necessary to safeguard the legitimate interests of a person responsible or a third party. These legitimate interests do not constitute sufficient grounds for the legality of the processing if the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail (Kastelitz / Hötzendorfer / Tschohl in Knyrim, DatKomm Art 6 GDPR margin no.49; cf. also the statement 06/2014 of the Article 29 Data Protection Working Party, 30 ff) for the determination of legitimate interests; a mere interference with the rights of the data subject does not make the data processing inadmissible (Schulz in Gola, DS-GVO2 [2018] Art 6 margin no.58). It is also forbidden to generally weigh up against the processing in case of doubt (Reimer in Sydow, European General Data Protection Regulation2 [2018] Art 6 Rz 63).
 [32] 4.3. The balancing of interests follows a three-part scheme: 1. Existence of a legitimate interest, 2. Necessity of processing personal data to realize the legitimate interest and 3. No predominance of the fundamental rights and freedoms of the person concerned (see only Kastelitz / Hötzendorfer / Tschohl in Knyrim, DatKomm Art 6 GDPR margin no.51). First of all, the interest of the person responsible must be determined on the basis of the intended purpose. Legal, economic or ideal interests come into consideration. This interest is to be understood broadly, which is indicated in particular in Recital 47 S 2, 6, 7 (Frenzel in Paal / Pauly, DS-GVO BDSG3 [2021] Art 6 Rz 26). Once the interest has been determined, it must then be normatively determined whether this interest violates the legal order of the Union, the respective member state or data protection principles, including the principle of necessity and the principle of good faith (Schulz in Gola, DS-GVO2 [2018 ] Art 6 margin no.57). In a final step, it must be checked whether the data subject is outweighed by the need for protection. An indication of the predominance of the interests, fundamental rights and freedoms of the person concerned over the processing interests of the person responsible can be seen in particular in the fact that the data processing takes place in a context in which a person concerned does not reasonably have to expect processing (Spindler / Dalby in Spindler / Schuster, Art 6 GDPR margin no.19).
 [33] 4.4. In order to assess the legality of the data processing, the result is a weighing of the interests involved in individual cases from an objective point of view (this was already the case with the court of appeal; see also Schulz in Gola, DS-GVO2 [2018] Art 6 Rz 67). Thus, the question of the processing of data within the meaning of Art 6 Paragraph 1 lit f GDPR is a question that - apart from blatant misjudgments - does not usually represent a significant legal question (RS0044088 [T8, T9]). Rather, the decision depends exclusively on the outcome of the weighing of the respective conflicting interests in the specific case.
 [34] 4.5. Insofar as the plaintiff criticizes that in assessing the (ongoing) necessity of data processing, the specific circumstances, including the "severity of the financial loss" of their creditors, should have been taken into account, the counterpart is that creditworthiness data are kept ready, as was the case with the previous instances Convincingly worked out (§ 510 Paragraph 3 ZPO), in addition to avoiding payment defaults, it also serves to avoid the risk of mere payment delays. A corresponding interest of potential creditors of the plaintiff in obtaining information about their payment history in the past in order to be able to deduce an increased (temporary) risk of default, naturally extends not only to the non-payment (on time) of significant liabilities, In any case, the failure to pay small amounts several times over a period of months and despite repeated reminders allows conclusions to be drawn about possible financial problems or poor payment behavior. The fact highlighted by the plaintiff that her previous creditors may not have suffered any financial loss due to the payment of the liabilities that ultimately took place cannot be decisive from the outset against this background. At the same time, as the appellate court rightly emphasizes, future creditors must be granted a legitimate interest in information regarding the plaintiff's previous payment history even if the information merely serves to better assess their credit risk with regard to minor claims.
 [35] 4.6. Based on these considerations, the plaintiff's legal view is not convincing either, in the case of "positive data" from a private person - meaning data on payment experiences for which the debtor has ultimately paid in full - processing cannot generally be based on Art 6 (1) (f) GDPR because the legitimate interests of the data subject regularly outweigh the interests of the data subject. This unsubstantiated view is apparently based essentially on the (as explained above), inaccurate premise that data on such payment experiences have no substantial value for potential creditors from the outset. The appeal does not provide any further comprehensible argument for why the balancing of interests in the case mentioned should generally be in favor of the person concerned.
 [36] 4.7. If, in this context, the plaintiff generally doubts that the defendant's creditworthiness database is suitable to serve future creditors as a basis for an objective assessment of the default risk, and accordingly argues that the database does not distinguish between (major) payment defaults and (minor) payment delays differentiated, it moves away from the findings according to which, on the one hand, the amount of the unadjusted claim and any subsequent payment can be found in the individual data records and, on the other hand, in the algorithm-based calculation of the future probability of default, the amount of the outstanding amounts and the payment behavior of the individual Debtor is very well taken into account.
 [37] 4.8. In its criticism, pointing in the same direction, that the data in question are "out of date" and in any case do not reflect the actual economic performance of the plaintiff, the plaintiff disregards the fact that in 2017 and 2018 it would have been economically in a position to to pay the small amounts in good time, in any case after a reminder; for this reason alone there can be no question of outdated data. The mere fact that the data records made available in the defendant's database do not allow any reliable conclusions to be drawn about the specific reason for the (temporary) payment default, however, does not render the information worthless for future creditors: Assuming that the defendant's claims that have remained unadjusted then are not stored in the database if the debtor has disputed them, the multiple database entries relating to the plaintiff are meaningful insofar as they are a considerable indicator of either an insolvent or unwilling debtor.
 [38] 4.9. The plaintiff's reference in her appeal to the decision 6 Ob 195 / 08g is wrong simply because it was based on Section 28 (2) DSG 2000, which was issued by the Constitutional Court on October 8, 2015, G 264/2015 Violation of the freedom of expression and information of Art 10 ECHR was repealed as unconstitutional.
 [39] 4.10. The plaintiff correctly argues that within the scope of the balancing of interests required in accordance with Art. that it is denied the conclusion of credit or mobile phone contracts, for example. However, the lower courts have shown convincingly that the overall effect of this does not ultimately lead to the plaintiff being cut off to an unreasonable degree from participation in business life and modern telecommunications. The legitimate information interests of future creditors of the plaintiff therefore prevail in the result compared to the legitimate interest in secrecy of the plaintiff, also with a view to the previous considerations, according to which the multiple database entries for future creditors of the plaintiff are definitely informative for their risk assessment, even if some of the entries have already been made go back to 2017, do not concern any high claims and the data records show that the plaintiff has ultimately paid all liabilities.
 [40] 4.11. In fact, according to Recital 47 of the GDPR, the reasonable expectations of a data subject must also be included in the balancing of interests. However, with her argument that she should not have expected her data to be processed for the purpose of creditworthiness assessment, the plaintiff disregards the contrary factual assumptions of the lower courts.
 [41] 4.12. In summary, no incorrect assessment by the lower courts can be identified with regard to the balancing of interests, whereby reference can also be made to their extensive explanations on the balancing of interests.
 [42] C. Automated individual decisions / "Profiling" (Art 22 GDPR)
 [43] 5. In the opinion of the revision, the processing by the defendant was carried out by means of profiling in accordance with Art. 4 Para. 4 GDPR and thus also entails automated individual decisions in accordance with Art. 22 GDPR. With this submission, raised for the first time in the appeal proceedings, however, the plaintiff is violating the prohibition on innovations.
 [44] D. Data are not made public
 [45] 6. The plaintiff finally claims that her files are publicly accessible because they are not only accessible to a pre-determined, externally limited group of people, but to every entrepreneur who claims a specific, legitimate interest because of an advance service to be provided by him , be granted.
 [46] At the same time, however, the plaintiff misunderstood the term “public”. In the GDPR, this is generally understood to mean the general public and thus a group of people that cannot be individually determined (see Kastelitz / Hötzendorfer / Tschohl in Knyrim, DatKomm Art 9 GDPR margin no.41). The first court found that a score is calculated from the stored data, which is made available to the defendant's customers as a basis for deciding whether to contract with a person or a company or under what conditions. This is an outwardly limited group of people because only the defendant's customers have access to this data. There can therefore be no talk of "public" within the meaning of the GDPR.
 [47] 7. The judgment under appeal thus proves to be free from legal error, so that the unfounded appeal was to be unsuccessful.
 [48] The decision on the costs of the revision procedure is based on §§ 41, 50 ZPO.


European Case Law Identifier
ECLI: AT: OGH0002: 2021: 0060OB00087.21V.0623.000