At the end of March 2023, the Austrian Data Protection Authority dealt with the processing of data by a credit agency (the respondent) for the purpose of checking creditworthiness reported as unlawful for lack of a legal basis pursuant to Article 6 (1) GDPR. The credit agency had received the data from an address publisher. The data transfer by the address publisher was neither lawful nor covered by the purpose of the latter’s original data processing; this is what the authority found in separate proceedings initiated against the address publisher.
Facts of case
The complainant submitted a request for information to the respondent. In the information furnished in response to the request, "address publishers and direct marketing companies acting under Sec. 151 of the Austrian Industrial Code/GewO 1994" were among others named as the source of the complainant’s personal data. The respondent had received at least the complainant’s name, address and date of birth from an address publisher. The basis for the unlawful transfer of data was an agreement on the supply and use of address data entered into between the address publisher and the respondent. The data collected was used by the respondent to carry out assessments of creditworthiness, including that of the complainant. The complainant was neither informed of the fact that the address publisher had been processing the complainant's data nor of the fact that the address publisher had transmitted the data to the respondent.
Assessment of the lawfulness of data processing
Any processing of personal data must comply with all the principles listed in Article 5 of the GDPR (the principles relevant here being lawfulness and purpose limitation). In order for processing to be lawful, it must at least comply with a permission-related element of Article 6 of the GDPR (prohibition with reservation of permission). Otherwise, data processing is not permitted and therefore unlawful.
Since the complainant was not aware of the data processing, there could be no consent to the processing (Article 6(1)(a)).
Furthermore, there were two reasons why the respondent could not invoke either the element of authorisation for the fulfilment of a legal obligation (Article 6(1)(c)) or the element of authorisation for the performance of a task in the public interest (Article 6(1)(e)). The respondent's trade is based on Sec. 152 GewO 1994 and does not fulfil this requirement.
Likewise, the respondent was unable to invoke a legitimate interest (Article 6 (f)). In the parallel proceedings initiated against the address publisher, the decisive factor was that the Data Protection Authority established this instance of data processing was unlawful (the decision being not yet final and unappealable). In the weighing of interests required, the fact that the address publisher was not authorised to disclose the data for credit assessment purposes had to be considered as a factor, the reason being that the address publisher was only allowed to use the collected data and to pass them on to third parties for marketing purposes. The use for credit rating purposes by the respondent was thus not covered by the legitimate purpose so that the principle of purpose limitation was not fulfilled. Moreover, the respondent could not furnish proof for the determination of the complainant's data by the address publisher being lawful. Reference to an existing trade licence and supervision by the trade authority was not sufficient.
The consequences of unlawfulness
According to the established case law of the Supreme Administrative Court (ruling of 23 February 2021, Ra 2019/04/0054), the unlawful collection of personal data by a controller renders a subsequent transfer by the same controller unlawful. As a consequence, unlawful transfer means that another controller cannot lawfully process such data, either.
In practice, this decision by the Data Protection Authority once again goes to show that companies must pay close attention to ensuring that any and all data processing complies with all the principles of the GDPR, meaning that there must be a permissible legal basis and transfer must be covered by the purpose of processing. The fact that a company receives data from a "professional" or "reputable" address publisher is not sufficient as a legal basis!