OLG Wien - 12 R 83/25a

Summary

Austria's Higher Regional Court (OLG Wien) upheld a first-instance ruling ordering credit rating company KSV1870 and energy supplier Go Green Energy to pay €1,500 in non-pecuniary damages to a consumer who was denied a contract based on an automated credit decision without explicit consent. The court found violations of GDPR Articles 13, 14, 15, 22, and 82, including failures to disclose automated decision-making and incomplete responses to data access requests. The appellate court rejected the companies' appeals, affirming that liability under Article 82 GDPR does not depend on joint controller status or full compliance with information obligations.

Full text

Help OLG Wien - 12 R 83/25a: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 14:06, 14 April 2026 view source Dt (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators292 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 14:06, 14 April 2026 OLG Wien - 12 R 83/25a Court: OLG Wien (Austria) Jurisdiction: Austria Relevant Law: Article 6(1)(f) GDPR Article 22(1) GDPR Article 22(2) GDPR Article 22(3) GDPR Decided: 30.03.2026 Published: Parties: KSV1870 Information GmbH Go Green Energy GmbH & Co KG National Case Number/Name: 12 R 83/25a European Case Law Identifier: Appeal from: LGfZRS Wien (Austria)60 Cg 82/24f-26 Appeal to: Unknown Original Language(s): German Original Source: Oberlandesgericht Wien (in German) Initial Contributor: dt A court upheld a first instance court’s decision ordering a credit rating company and an energy supplier to jointly pay €1,500 in immaterial damages to a consumer for the distress caused by the refusal of the energy supplier to enter into a contract with the consumer based on the unfavourable credit rating issued by the credit rating company. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts An individual (the data subject) commissioned a company, Energo, to enter on his behalf into an energy supply contract with conditions as favourable as possible. Energo intended to conclude a contract online with Go Green Energy GmbH (controller 1) for the supply of natural gas to the data subject’s home and initially received an email accepting the data subject as a customer. However, shortly afterwards, Energo received another email rejecting the application due to an insufficient credit score. KSV1870 Information GmbH (controller 2) conducts credit ratings for individuals and companies, calculating a ‘Risk Indicator’ which forecasts the probability of a payment default occurring within the upcoming 12 months. Go Green Energy was a customer of KSV and in this case the latter provided the data subject’s credit score which led to the rejection of his application for the energy supply contract. The data subject eventually submitted a request to Go Green Energy requesting information under GDPR, in particular regarding the data exchanged with KSV. Furthermore, he submitted an access request with KSV under Article 15 GDPR. The data subject argued that KSV’s response to his access request was incomplete and raised a claim against KSV regarding the transmission of a credit rating to Go Green Energy, as well as the resulting refusal from the latter to enter into a contract with him. The data subject claimed that he never consented to automated decision-making, but that the controllers subjected him to such decision-making unlawfully in violation of Article 22 GDPR. Moreover, the data subject claim that the controllers relied on inaccurate information to calculate his credit rating, thus breaching the principle of accuracy under Article 5(1)(d) GDPR. The data subject argued that the refusal caused him worry, annoyance and stress, thereby resulting in non-pecuniary damage. He claimed €1,500 from both controllers under Article 82 GDPR in court. KSV claimed that it processed personal data under Article 6(1)(f) GDPR (i.e. legitimate interest) and that all data subjects have the right to request correction of their personal data used for the purpose of credit rating. Moreover, KSV argued that it only provided Go Green Energy with a credit rating, which was not a sufficient reason to refuse to enter into a contract, and that it had no control over Go Green Energy’s reasons for refusal. Go Green Energy argued that its automated decision-making was necessary due to the high number of requests for contracts it receives, and that it is permitted under Article 22(2)(a) GDPR. It further claimed that manually verifying every credit rating would be unreasonable, that it did not violate Article 5 GDPR, and that had a human being reviewed the case, it would have reached the same conclusion and the subsequent rejection would have led to the same alleged stress, annoyance and concern. The Vienna Regional Court for Civil Matters issued a judgment in this case and held that the data subject suffered distress as a result of Go Green Energy’s refusal for which the data subject could claim compensation under Article 82(1) GDPR. The first court also found that the controllers violated their information obligations under Article 13(2)(f) GDPR and Article 14(2) GDPR since they failed to indicate how Go Green Energy’s terms and conditions informed consumers that they were subject to automated decision-making. Moreover, the first court held that the controllers breached Article 15(1)(h) by failing to provide complete information to the data subject’s access request, in particular regarding the existence of automated decision-making and the logic behind it. The controllers appealed the judgment in front of the Vienna Higher Regional Court. Holding Firstly, the appellate court held that an alleged incorrect legal assessment by the first court in establishing a link between alleged damage and a GDPR violation did not constitute grounds for annulment of the judgement. Secondly, the court held that the assessment of the controllers’ liability under Article 82 GDPR does not depend on whether they are joint controllers nor on whether the first defendant has fully complied with its obligation to provide information to the data subject under Article 15(1)(h) GDPR. Thirdly, the court dismissed Go Green Energy’s claims that the trial court’s judgement contained reasoning deficiencies, noting that the distress suffered by the data subject was obvious from the submissions and pointing out that whether the first court considered sufficiently all the evidence was not a matter to be examined in the context of the alleged lack of reasoning of the court. Fourthly, the court found that KSV improperly raised a challenge to the facts regarding what caused distress to the data subject, by seeking an additional finding that the inability to secure a fixed rate for energy supply led to the data subject’s distress instead of the refusal he received based on the credit rating. However, the court held that the controller failed to show that the finding it sought was contrary to the finding made by the first court. Fifth, the court dismissed the data subject’s objection to the facts regarding the list of variables provided as evidence of the logic involved in the automated decision-making process. The court held that even if the information does not specify how the individual variables affected the score, it did not mean that the list was not exhaustive. Credit rating as an automated decision within the meaning of Article 22(1) GDPR The court analysed the objection to the finding that the generation of the credit rating constituted an automated decision within the meaning of Article 22(1) GDPR. KSV argued that the legal or significant adverse effect on the data subject was not present, and that the latter was only minimally affected by Go Green Energy’s refusal to conclude the contract since he concluded the desired contract with a different provider and subsequently rejected Go Green Energy’s offer for the contract after their case-by-case review. Thus, KSV claimed that Article 22 GDPR was not applicable and the subsequent information obligations could not have been violated either. However, the court referred to the SCHUFA II case (C-634/21) and showed that the credit rating in this case fell under the application of Article 22 GDPR, since it was a decision based solely on automated processing including profiling which produced legal effects or significantly affected the data subject in a similar manner. It further emphasised that following the CJEU’s decision in the SCHUFA II c

Entities