Back to all lessons
Awareness Lessons
3 days ago

Credit Agency's Failure to Honor Erasure Rights Violates GDPR Article 17

A credit reporting agency failed to delete out-of-court settlement data upon a valid erasure request, leading to an incorrect credit score that caused the data subject to be denied loans. The Austrian Federal Administrative Court (BVwG) upheld the DPA's ruling that processing payment history constitutes a significant interference with privacy rights under CJEU case law. This case demonstrates that organizations handling sensitive financial data must have clear, legally compliant processes for responding to data subject rights requests. Failure to act on erasure obligations not only violates GDPR Article 17 but can cause direct, measurable harm to individuals — creating significant regulatory and reputational risk.

Tactical Insight

Immediate actions

  • Audit all stored personal data categories to identify records subject to erasure obligations under GDPR Article 17.
  • Establish a formal, time-bound workflow for processing data subject erasure requests that includes legal review checkpoints.

Long-term improvements

  • Implement a Data Subject Rights Management (DSRM) system to track, log, and fulfill erasure, access, and rectification requests within statutory deadlines.
  • Train data governance and legal teams on evolving CJEU case law affecting the interpretation of GDPR rights, particularly for sensitive financial or behavioral data.
  • Conduct periodic data retention reviews to proactively purge records that no longer have a lawful basis for processing.

Detection & compliance measures

  • Implement automated alerts to flag data records that have exceeded their lawful retention period or are subject to pending erasure requests.
  • Schedule quarterly internal audits to verify that erasure requests have been fully executed across all systems, including backups and third-party processors.