[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fSk2pwkDS5kixMU_nta7L2PVsoh1EaGY3DgJNGclF0fc":3},{"lesson":4},{"id":5,"slug":6,"article_id":7,"title":8,"body":9,"prevention":10,"framework_refs":11,"status":22,"created_at":23,"published_at":24,"article":25,"tags":29,"podcasts":42},"57f4816c-d209-40aa-a49f-2ef6599b41f0","austrian-court-rules-credit-agencies-must-erase-insolvency-data-after-public-register-removal","8e7c180e-92e0-4ce5-ab7d-3e85961f60ef","Austrian Court Rules Credit Agencies Must Erase Insolvency Data After Public Register Removal","The Austrian Supreme Administrative Court confirmed that credit agencies cannot indefinitely retain personal insolvency data sourced from public registers once that data has been officially removed. Continued processing of such data for creditworthiness assessments lacks a lawful basis under GDPR, as the original public-interest justification ceases to exist when the register entry is deleted. This ruling reinforces that data minimisation and storage limitation principles are not optional — organisations must actively review and purge data whose legal basis has expired. Failure to comply exposes organisations to enforcement actions, fines, and reputational damage. The decision aligns with CJEU precedent, signalling a stricter pan-European standard for how derived or secondary data sources must be managed.","**Immediate Actions:**\n- Audit all personal data held from public registers and verify whether the original source entries still exist and justify retention.\n- Implement a formal erasure workflow triggered whenever a public register removal is detected or notified.\n\n**Long-term Improvements:**\n- Establish automated data lifecycle management policies that link retention periods to the validity of the underlying legal basis for each data category.\n- Maintain a Record of Processing Activities (RoPA) that explicitly documents the lawful basis, source, and expiry conditions for every personal data set.\n- Conduct periodic Data Protection Impact Assessments (DPIAs) for creditworthiness processing activities to reassess lawful basis on a scheduled basis.\n\n**Governance & Compliance Measures:**\n- Train data governance and compliance teams on the right to erasure under GDPR Article 17 and the obligation to monitor source data validity.\n- Establish a clear Subject Access and Erasure Request procedure with defined SLAs to respond to Article 17 requests without undue delay.",[12,13,14,15,16,17,18,19,20,21],"GDPR Article 5(1)(e) – Storage Limitation","GDPR Article 5(1)(c) – Data Minimisation","GDPR Article 17 – Right to Erasure","GDPR Article 6 – Lawfulness of Processing","GDPR Article 30 – Records of Processing Activities","NIST SP 800-53 SI-12 – Information Management and Retention","NIST Privacy Framework PR.DS-P4 – Data Retention and Disposal","CIS Control 3 – Data Protection (Data Retention and Disposal)","ISO\u002FIEC 27001:2022 Annex A 8.10 – Information Deletion","ITIL Service Design – Information Security Policy and Data Management","published","2026-07-09T16:22:00.576454+00:00","2026-07-09T16:22:00.268+00:00",{"id":7,"url":26,"slug":27,"title":28},"https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=VwGH_-_Ro_2020\u002F04\u002F0031-9&diff=52174&oldid=40601","vwgh-ro-2020-04-0031-9-a921f1","VwGH - Ro 2020\u002F04\u002F0031-9",[30,36],{"id":31,"name":32,"slug":33,"description":34,"color":35},"c0dcc566-3654-4d70-8ede-262a198e732f","Regulatory Compliance","regulatory-compliance","GDPR, NIS2, DORA, sector-specific violations","#ec4899",{"id":37,"name":38,"slug":39,"description":40,"color":41},"c8b843a5-d5a7-41d1-8d3b-cabded09d2ef","Data Protection","data-protection","Unencrypted data, missing DLP, poor classification","#3b82f6",[]]