Austrian Court Rules Credit Agencies Must Erase Insolvency Data After Public Register Removal
The Austrian Supreme Administrative Court confirmed that credit agencies cannot indefinitely retain personal insolvency data sourced from public registers once that data has been officially removed. Continued processing of such data for creditworthiness assessments lacks a lawful basis under GDPR, as the original public-interest justification ceases to exist when the register entry is deleted. This ruling reinforces that data minimisation and storage limitation principles are not optional — organisations must actively review and purge data whose legal basis has expired. Failure to comply exposes organisations to enforcement actions, fines, and reputational damage. The decision aligns with CJEU precedent, signalling a stricter pan-European standard for how derived or secondary data sources must be managed.
Tactical Insight
Immediate Actions
- Audit all personal data held from public registers and verify whether the original source entries still exist and justify retention.
- Implement a formal erasure workflow triggered whenever a public register removal is detected or notified.
Long-term Improvements
- Establish automated data lifecycle management policies that link retention periods to the validity of the underlying legal basis for each data category.
- Maintain a Record of Processing Activities (RoPA) that explicitly documents the lawful basis, source, and expiry conditions for every personal data set.
- Conduct periodic Data Protection Impact Assessments (DPIAs) for creditworthiness processing activities to reassess lawful basis on a scheduled basis.
Governance & Compliance Measures
- Train data governance and compliance teams on the right to erasure under GDPR Article 17 and the obligation to monitor source data validity.
- Establish a clear Subject Access and Erasure Request procedure with defined SLAs to respond to Article 17 requests without undue delay.