[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fypUCsSSmpOC69PtGDeLKjoXr7lmylWX8aG81MpPY0XY":3},{"article":4,"iocs":46},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":24,"category":25,"article_tags":28},"41a9655f-20cc-48ea-a023-2000bd167a13","BVwG - W254 2253353-1","bvwg-w254-2253353-1-d04e79","Created page with \"{{COURTdecisionBOX |Jurisdiction=Austria |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=BVwG |Court_Original_Name=Bundesverwaltungsgericht |Court_English_Name=Federal Administrative Court |Court_With_Country=BVwG (Austria) |Case_Number_Name=W254 2253353-1 |ECLI=ECLI:AT:BVWG:2025:W254.2253353.1.00 |Original_Source_Name_1=RIS |Original_Source_Link_1=https:\u002F\u002Fwww.ris.bka.gv.at\u002FDokument.wxe?ResultFunctionToken=7304396c-6bd7-40e4-ba7f-c671be32ba3a&Position=...\" Show changes","An Austrian court has ruled that a data controller must provide clear and meaningful information about how a data subject's credit score was calculated, as per Article 15(1)(h) of the GDPR. The court found that credit scoring constitutes profiling based on automated processing, impacting third-party decisions. The controller's claim of trade secrets was deemed too general to exempt them from providing the required details.","Austrian court rules controller must provide meaningful credit score calculation details under GDPR.","Help BVwG - W254 2253353-1: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 05:22, 13 July 2026 view source Marcm (talk | contribs)14 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 05:22, 13 July 2026 BVwG - W254 2253353-1 Court: BVwG (Austria) Jurisdiction: Austria Relevant Law: Article 4(1) GDPR Article 4(4) GDPR Article 12 GDPR Article 14 GDPR Article 15 GDPR Article 22(1) GDPR Article 133(4) B-VG Decided: 17.11.2025 Published: 04.02.2026 Parties: complainant (controller) interested party (data subject) DSB (DPA) National Case Number\u002FName: W254 2253353-1 European Case Law Identifier: ECLI:AT:BVWG:2025:W254.2253353.1.00 Appeal from: DSB (Austria)n\u002Fa (03.01.2022) Appeal to: Appealed - OverturnedVwGH (Austria)Ra 2026\u002F04\u002F0002 Original Language(s): German Original Source: RIS (in German) Initial Contributor: Marc-Michael Haupt A court held that a controller must provide meaningful information to clarify how the data subject's credit score was calculated. If a disclosure of trade secrets is alleged, the court determines the extent of the controller's information obligation. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts On 07.04.2021, the data subject requested access to their data under Article 15 GDPR. The controller replied on 12.04.2021 and provided further information on 27.05.2021 after the data subject made a further enquiry. As the controller's privacy policy listed significantly more data being collected, the data subject lodged a complaint with the Austrian DPA (DSB) on 13.07.2021. They argued that the data provided and its sources were incomplete. On 03.01.2022, the DPA partly upheld the complaint and ruled that the controller violated the right of access by not providing information pursuant to Article 15(1)(h) GDPR, as the calculation of the creditworthiness constitutes profiling under Article 4(4) GDPR. On 09.02.2022, the controller appealed, stating that its calculations were not based on automated processing and that providing further information would reveal trade secrets. The proceedings were stayed until the CJEU's preliminary ruling in 'Dun & Bradstreet Austria' (C‑203\u002F22) ECLI:EU:C:2025:117. By letter of 15.05.2025, the court resumed the case. During the entire proceedings, the controller gradually provided further information on the personal data being processed and the calculation of the credit score. Hence, the following data is used to calculate the credit score: Name, age, gender, address, macroeconomic statistical parameters, payment history. The calculation itself is performed automatically using an algorithm and the same formula unless the controller's customers order a different score model. Holding First the court ruled that the controller had an obligation to provide information under Article 15(1)(h) GDPR, as all three cumulative requirements pursuant to Article 22 GDPR were stated to be met: A credit score was calculated ('decision'), which predicts various aspects of the data subject, including their economic situation, for example. This constitutes profiling within the meaning of Article 4(4) GDPR ('based solely on automated processing, including profiling'), impacting the decision-making of third parties regarding contractual relationships with the data subject ('produces legal effects [...] or [...] similarly significantly affects' concerning the data subject) . Second, the court held that the controller failed to provide meaningful information under Article 15(1)(h) GDPR to sufficiently explain why the data subject had been assigned a particular credit score, including the logic and weighting of the data categories in question, and its corresponding effects on the data subject. Third, the court ruled that the controller asserted the presence of trade secrets in very general terms without providing the allegedly protected information to the DPA or the court. Fourth, the court held that no appeal to the Austrian Supreme Administrative Court (Verwaltungsgerichtshof) was admissible pursuant to Article133(4) B-VG, as no (further) indications of legal questions of fundamental importance were raised. The court based their ruling, among others, in accordance with the following CJEU's judgments: In 'SCHUFA' (C‑634\u002F21) ECLI:EU:C:2023:957, the court ruled that the concept of 'automated individual decision-making' under Article 22(1) GDPR encompasses the provision of a probability value regarding a data subject's 'ability to meet payment commitments', on which a third party heavily relies to decide whether 'to establish, implement or terminate' a contract with that data subject. In 'Dun & Bradstreet Austria' (C-203\u002F22) ECLI:EU:C:2025:117, the court stated that the wording of Article 15(1)(h) GDPR must be understood as meaning that the controller must provide clear, transparent and understandable information about the methods and principles used to produce the data subject's credit score. If the controller claims that sharing this information would disclose trade secrets or data of third parties, the competent DPA or court must balance the competing rights and interests to determine the extent of the disclosure. Comment The controller lodged an extraordinary appeal with the Austrian Supreme Administrative Court. On 11.06.2026, the court quashed the decision due to an error of law. The BVwG failed to make any findings regarding the existence of an automated decision and its effects on the data subject (VwGH 11.06.2026, Ra 2026\u002F04\u002F0002). Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the German original. Please refer to the German original for more details. Decision Date November 17, 2025 Legal Norm Federal Constitutional Law (B-VG) Art. 133 para. 4 GDPR Art. 12 GDPR Art. 14 GDPR Art. 15 GDPR Art. 22 para. 1 GDPR Art. 4 no. 1 GDPR Art. 4 no. 4 Federal Constitutional Law (B-VG) Art. 133 currently in force; Federal Constitutional Law (B-VG) Art. 133 valid from January 1, 2019 to May 24, 2018, last amended by Federal Law Gazette I No. 138\u002F2017; Federal Constitutional Law (B-VG) Art. 133 valid from January 1, 2019, last amended by Federal Law Gazette I No. 22\u002F2018; Federal Constitutional Law (B-VG) Art. 133 valid from May 25, 2018 to December 31, 2018, last amended by Federal Law Gazette I No. 22\u002F2018; Federal Constitutional Law (B-VG) Art. 133 valid from Article 133 of the Federal Constitutional Law (B-VG) valid from 1 August 2014 to 24 May 2018, last amended by Federal Law Gazette I No. 164\u002F2013; Article 133 valid from 1 January 2014 to 31 July 2014, last amended by Federal Law Gazette I No. 51\u002F2012; Article 133 valid from 1 January 2004 to 31 December 2013, last amended by Federal Law Gazette I No. 100\u002F2003; Article 133 valid from 1 January 1975 to 31 December 2003, last amended by Federal Law Gazette No. 444\u002F1974; Article 133 valid from 25 December 1946 to 31 December 1974, last amended by Federal Law Gazette No. 211\u002F1946 B-VG Art. 133 valid from December 19, 1945 to December 24, 1946, last amended by Federal Law Gazette No. 4\u002F1945. B-VG Art. 133 valid from January 3, 1930 to June 30, 1934. Ruling W254 2253353-1\u002F26E IN THE NAME OF THE REPUBLIC! The Federal Administrative Court, composed of Judge Dr. Tatjana Cardona as presiding judge, and lay judges Mag. Viktoria Haidinger and Mag. Thomas Gschaar as associate judges, renders the following judgment on the appeal of XXXX, represented by Baker McKenzie Rechtsanwälte LLP & Co KG, against points 1 and 2 of the decision of the Data Protection Authority dated January 3, 2022, file number XXXX (intervening party: XXXX, represented by attorney Mag. Robert Haupt LL.M.), concerning a data protection matter, after conducting an oral hearing: The Federal Administrative Court, composed of Judge Dr. Tatjana Cardon","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=BVwG_-_W254_2253353-1&diff=52184&oldid=0","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F4\u002F4c\u002FCourts_logo1.png","2026-07-13T05:22:47+00:00","2026-07-13T06:00:16.221135+00:00",7,[18,21],{"name":19,"type":20},"GDPR","product",{"name":22,"type":23},"Dun & Bradstreet Austria","vendor","3f0f8451-91df-4b6c-9a73-ef3b2509b7f1",{"id":24,"icon":26,"name":19,"slug":27},null,"gdpr",[29,31,36,41],{"category":30},{"id":24,"icon":26,"name":19,"slug":27},{"category":32},{"id":33,"icon":26,"name":34,"slug":35},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":37},{"id":38,"icon":26,"name":39,"slug":40},"c5c77cdb-f7d7-4990-9436-c81dcbff1163","Policy","policy",{"category":42},{"id":43,"icon":26,"name":44,"slug":45},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]