Recent decisions of the Austrian Data Protection Authority (3/3)
3. Credit information agency as the data controller for the credit rating carried out – Case no. D123.688/03-DSB/2018
In the decision of 13 May 2019 the Austrian data protection authority had to deal, as part of its decision , with the question of whether a credit agency should be qualified as data controller for the credit assessment it had carried out. The subject of the procedure is an alleged violation of the right to information. In addition to several violations alleged by the complainant, which were essentially limited to incomplete information, it was claimed that the respondent, who operates a credit agency, had not provided any further details with regard to the logic involved and the scope and intended effects of the credit assessment carried out on the complainant. In summary, the respondent responded that the decision on the conclusion of a legal transaction or on the form in which the legal transaction was concluded was taken exclusively by the company querying the respondent.
In this regard, the data protection authority stated that the respondent processes personal data for the purpose of exercising its trade in accordance with § 152 GewO 1994 (Austrian Trade Regulation Act - credit agencies on credit relationships) and that, on the basis of statistical probability, a mathematical value is calculated on the basis of certain parameters which reflects the probability of non-payment. The fact that companies have the option of incorporating the weighting or other parameters (such as their own payment experience with the end customer/individual concerned) into the logic does not harm this. In the sense of the above considerations, the respondent cannot be understood as a processor, since the data are not only processed on behalf of the respective customer, but a processing is carried out independently of it within the scope of the exercise of the trade according to §152 GewO 1994 and the "score formula" - i.e. which concrete information with personal reference is combined with each other in which concrete way in order to calculate a certain creditworthiness - is determined by the respondent itself. In the opinion of the data protection authority, this is an independent decision-making process for the respondent, since the respondent is engaged in the above-mentioned business in order to bring calculated creditworthiness data into commercial circulation and, according to general life experience, this can be associated with considerable impairments in commercial life.
If an end customer who obtains the creditworthiness information makes a certain decision on the basis of the calculated creditworthiness - for example, by taking the creditworthiness result as the basis for his economic decision without questioning it - this is a second independent decision-making process for the end customer. As a result, the performance mandate was to be issued to the respondent, to provide the respondent with meaningful information about the logic involved as well as the scope and desired effects of the credit assessment concerning the complainant. The decision is not final.
Article provided by: Hon.-Prof. Dr. Clemens Thiele, LL.M. (EUROLAWYER, Austria)
Previous article: 2. No right to deletion from a doctor search and assessment portal - Case no. D123.527/0004-DSB/2018
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project
Director CPC project: Dr. Tobias Höllwarth, tobias.hoellwarth@eurocloud.org