Data Privacy Compliance in the Cloud
Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

Recent decisions of the Austrian Data Protection Authority (3/3)

02.09.2019

This article presents the third out of three interesting decisions on Austrian data protection law, in particular dealing with confirmation of the remedial measures taken during a consultation pursuant to Art 36 GDPR, the right to deletion pursuant to Art 17 GDPR and an evaluation of a data controller.

3. Credit information agency as the data controller for the credit rating carried out – Case no. D123.688/03-DSB/2018

In the decision of 13 May 2019 the Austrian data protection authority had to deal, as part of its decision , with the question of whether a credit agency should be qualified as data controller for the credit assessment it had carried out. The subject of the procedure is an alleged violation of the right to information. In addition to several violations alleged by the complainant, which were essentially limited to incomplete information, it was claimed that the respondent, who operates a credit agency, had not provided any further details with regard to the logic involved and the scope and intended effects of the credit assessment carried out on the complainant. In summary, the respondent responded that the decision on the conclusion of a legal transaction or on the form in which the legal transaction was concluded was taken exclusively by the company querying the respondent.

In this regard, the data protection authority stated that the respondent processes personal data for the purpose of exercising its trade in accordance with § 152 GewO 1994 (Austrian Trade Regulation Act - credit agencies on credit relationships) and that, on the basis of statistical probability, a mathematical value is calculated on the basis of certain parameters which reflects the probability of non-payment. The fact that companies have the option of incorporating the weighting or other parameters (such as their own payment experience with the end customer/individual concerned) into the logic does not harm this. In the sense of the above considerations, the respondent cannot be understood as a processor, since the data are not only processed on behalf of the respective customer, but a processing is carried out independently of it within the scope of the exercise of the trade according to §152 GewO 1994 and the "score formula" - i.e. which concrete information with personal reference is combined with each other in which concrete way in order to calculate a certain creditworthiness - is determined by the respondent itself. In the opinion of the data protection authority, this is an independent decision-making process for the respondent, since the respondent is engaged in the above-mentioned business in order to bring calculated creditworthiness data into commercial circulation and, according to general life experience, this can be associated with considerable impairments in commercial life.

If an end customer who obtains the creditworthiness information makes a certain decision on the basis of the calculated creditworthiness - for example, by taking the creditworthiness result as the basis for his economic decision without questioning it - this is a second independent decision-making process for the end customer. As a result, the performance mandate was to be issued to the respondent, to provide the respondent with meaningful information about the logic involved as well as the scope and desired effects of the credit assessment concerning the complainant. The decision is not final.

 

Article provided by: Hon.-Prof. Dr. Clemens Thiele, LL.M. (EUROLAWYER, Austria)

Previous article: 2. No right to deletion from a doctor search and assessment portal - Case no. D123.527/0004-DSB/2018

 

Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Höllwarthtobias.hoellwarth@eurocloud.org

VIEW PROJECT

WHAT IS THE DPC/CPC PROJECT?

53 lawyers from 33 countries are contributing to the project “Cloud Privacy Check (CPC)” in 26 different languages.

Understanding the complexity of current European data protection laws and regulations is already difficult enough for an IT engineer, buyer, or business user. In combination with the often small but nevertheless significant differences between various EU member states, however, it can become an almost insurmountable challenge without proper juristic accompaniment from the very start... Read More

 

CPC MISSION & VISION STATEMENT

The CPC is a trusted, not-for-profit international network of qualified professionals who deliver simplified and straight-forward guidance to help navigate the legal and regulatory environment relating to privacy and the cloud. This is done through collective know-how, research and market analysis gained from pan-European industry activity, collaboration and experience. Our mission is to provide authoritative views, information and practical solutions to two principal stakeholders: industry professionals and public authorities.