OLG Wien - 12 R 83/25a

Summary

Austria's OLG Wien upheld a first-instance ruling against KSV1870 Information GmbH (credit agency) and Go Green Energy GmbH (energy supplier) for jointly paying €1,500 in immaterial damages to a consumer. The court found that automated credit scoring and contract rejection violated GDPR Article 22 (automated decision-making) and Article 5 (accuracy), as the controllers failed to provide required information and safeguards. The ruling reinforces that automated decision-making is lawful only when proper safeguards, transparency, and consent mechanisms are in place.

Full text

Help OLG Wien - 12 R 83/25a: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 15:45, 14 April 2026 view sourceMba (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators897 editsm Tag: Visual edit← Older edit Latest revision as of 16:32, 14 April 2026 view source Dt (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators294 editsm Tag: Visual edit Line 70: Line 70: }}}} A court upheld a first instance court’s decision ordering a credit rating company and an energy supplier to jointly pay €1,500 in immaterial damages to a consumer for the distress caused by the refusal of the energy supplier to enter into a contract with the consumer based on the unfavourable credit rating issued by the credit rating company.A court upheld a decision against a credit information agency and an energy provider, awarding a data subject immaterial damages in the amount of €1,500 for unlawful credit scoring and the automated refusal to conclude an energy supply contract. In particular, the court held that automated decision making is only lawful when appropriate safeguards are in place. == English Summary ==== English Summary == Latest revision as of 16:32, 14 April 2026 OLG Wien - 12 R 83/25a Court: OLG Wien (Austria) Jurisdiction: Austria Relevant Law: Article 6(1)(f) GDPR Article 22(1) GDPR Article 22(2) GDPR Article 22(3) GDPR Decided: 30.03.2026 Published: Parties: KSV1870 Information GmbH Go Green Energy GmbH & Co KG National Case Number/Name: 12 R 83/25a European Case Law Identifier: Appeal from: LGfZRS Wien (Austria)60 Cg 82/24f-26 Appeal to: Unknown Original Language(s): German Original Source: Oberlandesgericht Wien (in German) Initial Contributor: dt A court upheld a decision against a credit information agency and an energy provider, awarding a data subject immaterial damages in the amount of €1,500 for unlawful credit scoring and the automated refusal to conclude an energy supply contract. In particular, the court held that automated decision making is only lawful when appropriate safeguards are in place. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts An individual (the data subject) intended to conclude an energy supply contract online with Go Green Energy GmbH (the energy provider). After initially receiving an email accepting the data subject as a customer the data subject's contract was automatically rejected due to an insufficient credit score provided to the energy provider by KSV1870 Information GmbH (the credit information agency or "KSV"). Therefore, the credit information agency's credit score led to the automated rejection of the data subject's application for the energy supply contract. The data subject eventually submitted a request to the energy provider requesting information under GDPR, in particular regarding the data exchanged with KSV. Furthermore, he submitted an access request with KSV under Article 15 GDPR. The data subject considered KSV’s response to his access request to be incomplete and filed a lawsuit claiming damages from KSV as well as the energy provider. The data subject claimed that he never consented to automated decision-making, but that the two controllers subjected him to such decision-making unlawfully in violation of Article 22 GDPR. Moreover, the data subject claim that the controllers relied on inaccurate information to calculate his credit rating, thus breaching the principle of accuracy under Article 5(1)(d) GDPR. The data subject argued that the refusal caused him worry, annoyance and stress, thereby resulting in non-pecuniary damage. He claimed €1,500 from both controllers under Article 82 GDPR in court. KSV claimed that it processed personal data under Article 6(1)(f) GDPR (i.e. legitimate interest) and that all data subjects have the right to request correction of their personal data used for the purpose of credit rating. Moreover, KSV argued that it only provided the energy provider with a credit rating, which was not a sufficient reason for a refusal to enter into a contract, and that it had no control over the energy provider's reasons for refusal. Therefore, KSV considered that their credit scoring could not be considered automated decision making under Article 22 GDPR. The energy provider argued that its automated decision-making was necessary due to the high number of requests for contracts it receives, and that it is permitted under Article 22(2)(a) GDPR. It further claimed that manually verifying every credit rating would be unreasonable, that it did not violate Article 5 GDPR, and that in case a human being would have reviewed the case, it would have reached the same conclusion and the subsequent rejection would have led to the same alleged stress, annoyance and concern. The Vienna Regional Court for Civil Matters found that the controllers violated their information obligations under Article 13(2)(f) GDPR and Article 14(2) GDPR since they failed to inform the data subject about the fact that they are subject to automated decision-making, the court also found a violation of the data subject's right to an explanation under Article 15(1)(h) GDPR and awarded damages under Article 82(1) GDPR in the amount of €1,500. The controllers appealed the judgment to the Vienna Higher Regional Court. Holding The court dismissed the controllers' appeals. Credit rating as an automated decision within the meaning of Article 22(1) GDPR The court analysed the objection to the finding that the generation of the credit rating constituted an automated decision within the meaning of Article 22(1) GDPR. KSV argued that the legal or significant adverse effect on the data subject was not present, and that the latter was only minimally affected by the energy provider's refusal to conclude the contract since he concluded the desired contract with a different provider and subsequently rejected the energy provider’s offer for the contract after their case-by-case review. Thus, KSV claimed that Article 22 GDPR was not applicable and the subsequent information obligations could not have been violated either. However, the court referred to the SCHUFA II case (C-634/21) and showed that the credit rating in this case fell under the application of Article 22 GDPR, since it was a decision based solely on automated processing including profiling which produced legal effects or significantly affected the data subject in a similar manner. It further emphasised that following the CJEU’s decision in the SCHUFA II case, it is generally prohibited to calculate a probability score which plays a decisive role in the granting of a loan to the data subject pursuant to Article 22(1) GDPR. Thus, the court stated that credit rating is only currently permitted on the basis of explicit consent. Moreover, the court concluded that the credit rating calculated by KSV was also the cause of the energy provider’s refusal to enter into a contract with the data subject, causing the latter distress. Therefore, the court held that KSV is liable to the data subject for the damage. In addition, the court considered that the lack of knowledge invoked by KSV was irrelevant in regard to the energy provider’s refusal to enter into a contract with the data subject, since the credit rating was a decision within the meaning of Article 22(1) GDPR regardless if the third party, in this case the energy provider, makes a subsequent decision based on the credit rating. KSV should have anticipated, according to the court, that the credit rating would be used in the context of an automated decision. The court established that it was irrelevant to its liability under Article 82 GDPR whether the controller breached information obligations under Article 14(2) GDPR and 15(1)(h) GDPR, since the data subject did not base his claim for damages on these clai

Entities