[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fo5COwPygLfqe1_GOSM1p6t9F2nX3kRGnQn5nyeaJQWU":3},{"lesson":4},{"id":5,"slug":6,"article_id":7,"title":8,"body":9,"prevention":10,"framework_refs":11,"status":21,"created_at":22,"published_at":23,"article":24,"tags":28,"podcasts":41},"c7ea08b1-5c19-43a2-9bc0-b7cf8f379c39","credit-agencys-failure-to-honor-erasure-rights-violates-gdpr-article-17","a65248a2-115b-4f9f-876f-c4ac959e7ab5","Credit Agency's Failure to Honor Erasure Rights Violates GDPR Article 17","A credit reporting agency failed to delete out-of-court settlement data upon a valid erasure request, leading to an incorrect credit score that caused the data subject to be denied loans. The Austrian Federal Administrative Court (BVwG) upheld the DPA's ruling that processing payment history constitutes a significant interference with privacy rights under CJEU case law. This case demonstrates that organizations handling sensitive financial data must have clear, legally compliant processes for responding to data subject rights requests. Failure to act on erasure obligations not only violates GDPR Article 17 but can cause direct, measurable harm to individuals — creating significant regulatory and reputational risk.","**Immediate actions:**\n- Audit all stored personal data categories to identify records subject to erasure obligations under GDPR Article 17.\n- Establish a formal, time-bound workflow for processing data subject erasure requests that includes legal review checkpoints.\n\n**Long-term improvements:**\n- Implement a Data Subject Rights Management (DSRM) system to track, log, and fulfill erasure, access, and rectification requests within statutory deadlines.\n- Train data governance and legal teams on evolving CJEU case law affecting the interpretation of GDPR rights, particularly for sensitive financial or behavioral data.\n- Conduct periodic data retention reviews to proactively purge records that no longer have a lawful basis for processing.\n\n**Detection & compliance measures:**\n- Implement automated alerts to flag data records that have exceeded their lawful retention period or are subject to pending erasure requests.\n- Schedule quarterly internal audits to verify that erasure requests have been fully executed across all systems, including backups and third-party processors.",[12,13,14,15,16,17,18,19,20],"GDPR Article 17 (Right to Erasure)","GDPR Article 5(1)(e) (Storage Limitation Principle)","GDPR Article 5(1)(a) (Lawfulness, Fairness, Transparency)","GDPR Article 24 (Responsibility of the Controller)","CJEU Case Law on Privacy Interference (as applied by BVwG W292 2301229-1)","NIST Privacy Framework PR.DS-P4 (Data Retention and Disposal)","CIS Control 3 (Data Protection — Data Retention and Disposal)","ISO\u002FIEC 27701:2019 Section 7.3.5 (Erasure and Anonymization)","ITIL Service Design — Information Management Policy","published","2026-07-09T16:21:10.172755+00:00","2026-07-09T16:21:10.082+00:00",{"id":7,"url":25,"slug":26,"title":27},"https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=BVwG_-_W292_2301229-1&diff=52176&oldid=47813","bvwg-w292-2301229-1-a0d756","BVwG - W292 2301229-1",[29,35],{"id":30,"name":31,"slug":32,"description":33,"color":34},"c0dcc566-3654-4d70-8ede-262a198e732f","Regulatory Compliance","regulatory-compliance","GDPR, NIS2, DORA, sector-specific violations","#ec4899",{"id":36,"name":37,"slug":38,"description":39,"color":40},"c8b843a5-d5a7-41d1-8d3b-cabded09d2ef","Data Protection","data-protection","Unencrypted data, missing DLP, poor classification","#3b82f6",[]]