“Processing & Storage of Creditworthiness Data – The alpha & omega: Balancing of Interests”
The question when the processing of personal data is lawful under Art 6 para lit f GDPR (for purposes of the overriding legitimate interests pursued by the controller or a third party) and how long payment or creditworthiness data may be stored, has only recently been decided by the Austrian Supreme Court (hereinafter referred to as “OGH”) in its decision 6 Ob 87/21v from June 23rd, 2021.
In summary, the aforementioned decision states:
- the assessment of the lawfulness of the processing must be based on a case-by-case objective balancing of interests
- Payment or creditworthiness data may be stored for a period of at least 5 years in order to provide an overall picture of the creditworthiness of a data subject as meaningful as possible.
- Facts of the case:
In this specific case, the Supreme Court had to deal with an erasure request of a claimant who had not paid various claims despite out-of-court collection attempts – including such carried out by debt collection agencies. The claimant only made the corresponding payments after two applications for execution had been granted. She justified her erasure request by stating that the storage of the data concerning her was no longer necessary, as she had settled the claims in the meantime. Moreover, the amounts involved were insignificant and her financial situation had also improved considerably. Her interest in erasure was therefore higher than the interest of potential future contractual partners (creditors).
On the other hand, the defendant is a credit agency according to Art 152 Austrian Trade Regulations (“GewO 1994”), which stores and processes payment (-experience) data. After three unsuccessful reminders and at least one further unsuccessful reminder by a collection agency, it receives this data automatically from collection agencies and other companies and only stores it if the corresponding claims are not disputed. If payments are subsequently made, the data remains stored. However, this is done with the explicit note “positively settled”.
In this specific case, the defendant stored and processed five negative payment experience data sets concerning the claimant, which resulted in a restriction of the claimant’s participation in economic life. This restriction essentially consisted of the fact that the claimant could no longer place orders on account in many areas (for example, on the Internet) and that she was not (or no longer) granted loans and mobile phone contracts. On the other hand, she could still place orders paid in advance and she was also able to use “prepaid” mobile phones or to get bank loans jointly with her spouse. The defendant thus argued that the storage and processing of data on the basis of Article 6 para 1 lit f of the GDPR (for purposes of the overriding legitimate interests pursued by the controller or a third party) was still lawful, especially since it was essential for the claimant’s potential contractual partners, who were exposed to a credit risk due to any advance performance, to be able to assess her payment behavior. Thus, deletion of the data relating to the claimant would create a distorted and inaccurate overall picture of her creditworthiness.
The claimant’s erasure request was rejected in all three instances. The Supreme Court states, among other things, the following:
- Lawfulness of processing (Art 6 para 1 lit f GDPR):
According to the Supreme Court, the assessment of the lawfulness of the processing of data for purposes of the overriding legitimate interests pursued by the controller or a third party always requires a case-by-case and objective balancing of interests. An indication for the overriding of the interests, fundamental rights or freedoms of the data subject can, in this regard, be that the processing is carried out in a context in which a data subject must not reasonably expect it. In this context, the Supreme Court also refers to Recital 47 to the GDPR, according to which the reasonable expectations of a data subject based on his or her (business) relationship with the controller must also be considered in the balancing of interests. Thus, the interference with the daily life of the data subject must be weighed against the interests of the controller and third parties.
In this specific case, this led to the result that, on the one hand, the claimant had very well to expect that her data would be processed for the purpose of assessing her creditworthiness, especially since she had received reminders in advance with an explicit reference to the fact that her relevant data would be transmitted to the defendant credit agency in connection with undisputed and unpaid due claims. On the other hand, the interests of the credit agency as well as of potential future creditors (avoidance of payment defaults, prevention of the risk of payment delays, enabling a conclusion on insolvency or unwillingness to pay) outweighed those of the claimant, who in the specific case only had to endure reasonable restrictions in her daily life (see facts of the case).
- Principle of storage limitation (Art 5 para 1 lit c and e GDPR):
The Supreme Court, among other considerations, also based its decision on the erasure request on the case law of the Federal Administrative Court (BVerwG), according to which, in addition to the “age” of a claim, the time of any repayments and the “good conduct” of the debtor since then are decisive and statutory observation and cancellation periods should also be used as a guideline. In this case, for example, the Austrian Ordinance on Capital Adequacy (“Kapitaladäquanzverordnung”) could be used, according to which data on any payment defaults over a period of at least five years are relevant.
However, even without referring to this BVerwG case law, the Supreme Court expressly clarifies that a balancing of interests must always be carried out, even for the assessment of the permissibility of a storage period. In this context, the effects of the storage period on the sphere of the data subject must be compared to how essential the data are for the controller.
In the specific case, the defendant, as a credit reference agency, was (and is) dependent on the processing of payment (-experience) data, whereby its activities not only serve its own economic interests, but also creditor protection interests and interests relating to the minimization of risks of third parties. The Supreme Court also explicitly clarified that the possibility to draw different conclusions from the processed data due to the time already elapsed does not affect the question of the lawfulness of the storage period. As a result, the storage of such data for a longer period (here at least for approx. 3 years) is not only permissible, but also necessary in order to be able to provide a meaningful and undistorted picture of the creditworthiness of a (potential) debtor.
However, the Supreme Court did not conclusively assess whether a written notification is actually required in order to be able to hold against a data subject that he or she had to expect the processing, but merely referred to the available findings of fact. In practice, however, such a notification will probably be advisable as “precautionary measure”.
All in all, the above-mentioned decision of the Supreme Court is convincing from the author’s point of view, as the court also accurately pointed out that the long-term storage and processing of “creditworthiness data” is not only advantageous from the point of view of the industry, but also from the point of view of companies as creditors and as well “well-behaving” debtors.
Click here for the supreme court decision.