noyb has scored a win in its complaint proceedings against the Austrian credit information agency KSV1870 and the energy provider Unsere Wasserkraft. The Austrian Data Protection Authority has found KSV1870's fully automated credit rating – which prevented the complainant from concluding an energy supply contract – to be unlawful. The DSB has also prohibited KSV1870 from carrying out such credit checks in future without the complainant's consent. Last but not least, the authority also reprimanded the two companies for their lack of transparency. They must now also provide a comprehensible explanation of the decisions they have made.
Complaint against unlawful credit scoring. About a year ago, noyb filed a complaint against KSV1870 and the energy provider Unsere Wasserkraft with the Austrian Data Protection Authority (DSB). The complainant, represented by noyb, was subjected to a fully automated credit rating by KSV1870 without being asked. This led to a – likewise fully automated – refusal of Unsere Wasserkraft to conclude a contract with the data subject. All this happened without the potential customer being informed. The GDPR makes it unambiguously clear that fully automated decisions with such far-reaching consequences are generally prohibited (with only a few exceptions).
Business as usual despite clear CJEU ruling. With regard to automated credit ratings by credit information agencies, the CJEU already clarified in 2023 that such a practice is unlawful. In its ruling on a case against the German credit information agency SCHUFA, the Court stated that if companies use the results of a credit assessment as a decisive factor in their decisions, this credit rating is considered a prohibited decision under Article 22 GDPR. Only if special conditions are met – such as the explicit consent of the data subject – would such a decision be permissible.
Martin Baumann, data protection lawyer at noyb: ‘Hopefully, the DSB's findings will help put a stop to illegal practices in the credit rating industry. Several years ago, the CJEU already made it clear that fully automated credit ratings in this form are inadmissible. This must finally be put into practice.’
DSB issues processing ban. The DSB has now clarified that KSV1870's actions violate the prohibition of automated individual decision-making and that the credit information agency has not complied with the respective transparency obligations. It is noteworthy that the DSB has not only instructed KSV to provide a comprehensible explanation of the (unlawful) credit rating. The authority has also issued a ban on carrying out automated credit checks using the complainant's data in future without his consent.
Martin Baumann, data protection lawyer at noyb: ‘We welcome the DSB's vehement action in this case. It shows that companies should thoroughly check whether the automated decisions they make are compatible with the fundamental right to data protection.’
Non-transparent conduct by energy supplier. The DSB also reprimanded the approach taken by the energy provider Unsere Wasserkraft. In connection with the fully automated rejection of the complainant, the supplier violated its transparency obligations. If Unsere Wasserkraft wishes to continue assess the creditworthiness of its potential customers, it must adapt the relevant processes to bring them into compliance with applicable data protection law.
The DSB's decision is not final; noyb expects the controllers to appeal it.
