Back to Feed
PolicyJul 9, 2026

BVwG - W292 2301229-1

Data subject's right to erasure under GDPR upheld by DPA and court.

Summary

A data subject filed a complaint regarding the erasure of payment history data, which led to loan rejections due to an error in their credit score. The DPA applied CJEU case law to determine that processing payment history significantly interferes with privacy rights. The DPA ruled that the credit reporting agency violated the data subject's right to erasure under Article 17 GDPR by not deleting data related to out-of-court settlements.

Full text

Help BVwG - W292 2301229-1: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 14:41, 11 June 2025 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators727 editsmTag: Visual edit← Older edit Latest revision as of 14:21, 9 July 2026 view source Ds (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators158 editsm Tag: Visual edit Line 44: Line 44: |GDPR_Article_Link_9=|GDPR_Article_Link_9= |EU_Law_Name_1=Article 7 CFREU|EU_Law_Name_1=Article 7 CFR |EU_Law_Link_1=https://www.europarl.europa.eu/charter/pdf/text_en.pdf|EU_Law_Link_1=https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:12012P/TXT |EU_Law_Name_2=Article 8 CFREU|EU_Law_Name_2=Article 8 CFR |EU_Law_Link_2=https://www.europarl.europa.eu/charter/pdf/text_en.pdf|EU_Law_Link_2=https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:12012P/TXT |EU_Law_Name_3=|EU_Law_Name_3= |EU_Law_Link_3=|EU_Law_Link_3= Line 83: Line 83: In 2024, a data subject filed a complaint to the DPA regarding the right to erasure of stored payment history data. The controller, a credit reporting agency, updated the data subject’s credit score following an out of court proceedings in 2019. The data subject’s request for a loan was rejected on the basis that banks received the information “Score value 0 - no calculation possible” when requesting information about the data subject. This value was an error as a result of the controller not being able to correctly assign a numerical value to the out of court proceedings. The entries analysed by the DPA and Court were the ones on the completion of out of court settlement and “Score value 0: No calculation possible”. In 2024, a data subject filed a complaint to the DPA regarding the right to erasure of stored payment history data. The controller, a credit reporting agency, updated the data subject’s credit score following an out of court proceedings in 2019. The data subject’s request for a loan was rejected on the basis that banks received the information “Score value 0 - no calculation possible” when requesting information about the data subject. This value was an error as a result of the controller not being able to correctly assign a numerical value to the out of court proceedings. The entries analysed by the DPA and Court were the ones on the completion of out of court settlement and “Score value 0: No calculation possible”. In its decision, the DPA applied the reasoning of CJEU case law (the [[CJEU - C‑26/22 and C‑64/22 - SCHUFA Holding and Others (Discharge from remaining debts) (Joined Cases)|SCHUFA case]]) to conclude that the processing of payment history also constitutes a serious interference with the fundamental right to privacy and data protection ([https://www.europarl.europa.eu/charter/pdf/text_en.pdf Articles 7 and 8 CFREU]). The DPA then applied national law on time limits in processing of data related to insolvency procedures, arguing that the controller should have deleted the data relating to the out of court settlement. By not deleting this information the controller was violating the data subject's right to erasure under Article 17 GDPR. In its decision, the DPA applied the reasoning of CJEU case law (the [[CJEU - C‑26/22 and C‑64/22 - SCHUFA Holding and Others (Discharge from remaining debts) (Joined Cases)|SCHUFA case]]) to conclude that the processing of payment history also constitutes a serious interference with the fundamental right to privacy and data protection ([https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:12012P/TXT Article 7 CFR and Article 8 CFR]). The DPA then applied national law on time limits in processing of data related to insolvency procedures, arguing that the controller should have deleted the data relating to the out of court settlement. By not deleting this information the controller was violating the data subject's right to erasure under Article 17 GDPR. The controller disputed the DPA's reasoning and brought an appeal to the Federal Administrative Court. The controller argued that the SCHUFA case did not apply, because it related to publicly accessible data. It also claimed that the data processing was not a serious interference with the data subject's fundamental rights. The controller disputed the DPA's reasoning and brought an appeal to the Federal Administrative Court. The controller argued that the SCHUFA case did not apply, because it related to publicly accessible data. It also claimed that the data processing was not a serious interference with the data subject's fundamental rights. Latest revision as of 14:21, 9 July 2026 BVwG - W292 2301229-1 Court: BVwG (Austria) Jurisdiction: Austria Relevant Law: Article 4(4) GDPR Article 5(1)(a) GDPR Article 6(1)(f) GDPR Article 15(1)(h) GDPR Article 17 GDPR Article 22(1) GDPR Article 22(2) GDPR Article 7 CFRArticle 8 CFR Decided: 28.03.2025 Published: 27.05.2025 Parties: National Case Number/Name: W292 2301229-1 European Case Law Identifier: Appeal from: Appeal to: Unknown Original Language(s): German Original Source: RIS (in German) Initial Contributor: ap A court concluded that credit scoring is itself a decision, and that the rules regarding automated decision making apply to credit scoring if done automatically. Because of this the controller (a credit agency) was considered to be processing data in breach of the GDPR and ordered to delete the data subjects data. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts In 2024, a data subject filed a complaint to the DPA regarding the right to erasure of stored payment history data. The controller, a credit reporting agency, updated the data subject’s credit score following an out of court proceedings in 2019. The data subject’s request for a loan was rejected on the basis that banks received the information “Score value 0 - no calculation possible” when requesting information about the data subject. This value was an error as a result of the controller not being able to correctly assign a numerical value to the out of court proceedings. The entries analysed by the DPA and Court were the ones on the completion of out of court settlement and “Score value 0: No calculation possible”. In its decision, the DPA applied the reasoning of CJEU case law (the SCHUFA case) to conclude that the processing of payment history also constitutes a serious interference with the fundamental right to privacy and data protection (Article 7 CFR and Article 8 CFR). The DPA then applied national law on time limits in processing of data related to insolvency procedures, arguing that the controller should have deleted the data relating to the out of court settlement. By not deleting this information the controller was violating the data subject's right to erasure under Article 17 GDPR. The controller disputed the DPA's reasoning and brought an appeal to the Federal Administrative Court. The controller argued that the SCHUFA case did not apply, because it related to publicly accessible data. It also claimed that the data processing was not a serious interference with the data subject's fundamental rights. Holding The Court upheld the decision on the DPA regarding automated processing, but dismissed the reasoning on processing of payment history. The Court upheld the arguments of the controller, and stated that the facts of the current case differ in essential elements to SCHUFA. The Court concluded that the processing was valid under Article 6(1)(f) GDPR because the controller makes this information available to a limited number of lending insurance companies. The Court also considered that the effect of this processing was not detrimental to the data subject, because they were able to conclude two leasing agreements following the out of court proceedings. In its analysis of the zero-s

Entities

SCHUFA Holding (vendor)credit reporting (technology)