Austrian authority rules credit scoring fully automated decisions unlawful

The Austrian Knowledge Safety Authority dominated on September 25, 2025, that credit score company KSV1870 unlawfully employed totally automated scoring to disclaim power provider providers to shoppers. In line with the official choice doc, KSV1870’s automated calculation and transmission of danger indicators constituted prohibited automated particular person decision-making below Article 22 GDPR. The authority imposed rapid processing restrictions and ordered complete disclosure necessities for each corporations concerned.

The enforcement motion emerged from a grievance filed by privateness advocacy group noyb on August 29, 2024, after their consumer encountered automated rejection from power supplier Unsere Wasserkraft primarily based solely on algorithmic creditworthiness evaluation. The rejection occurred inside minutes of utility submission, demonstrating the totally automated nature of the decision-making course of.

KSV1870 operates Austria’s business credit score database below commerce licensing laws part 152. The company mechanically calculated a “RiskIndicator” worth of 403 for the complainant, representing a 3.53% likelihood of cost default inside 12 months. In line with the choice, this rating dedication relied on automated processing of non-public information with out human intervention or particular person case evaluation.

Unsere Wasserkraft acquired month-to-month utility volumes between 6,000 and 10,000 power provide requests. The corporate built-in KSV1870’s database by automated interfaces, enabling instantaneous creditworthiness verification throughout buyer onboarding processes. When candidates acquired danger scores above predetermined thresholds, the system mechanically cancelled power provide contracts inside minutes of preliminary acceptance.

The complainant’s case illustrated this automated pipeline. Software submission occurred at 13:25 on October 17, 2023, by middleman ENERGO Energiedienstleistungen GmbH. Unsere Wasserkraft’s system generated welcome messages at 13:29, adopted instantly by rejection notifications at 13:30 citing “inadequate creditworthiness evaluation” by “commonplace verification procedures with the Austrian credit score safety affiliation.”

Martin Baumann, information safety lawyer at noyb, acknowledged: “The GDPR comprises clear provisions defending folks from illegal algorithmic deployment. Regardless of more and more clear European Courtroom of Justice jurisprudence, many corporations proceed ignoring these laws.”

In line with the authority’s technical findings, KSV1870’s automated scoring calculation constituted “profiling” below Article 4(4) GDPR by systematic analysis of non-public traits predicting particular person creditworthiness. The choice referenced December 7, 2023, European Courtroom of Justice precedent in Case C-634/21, which established that automated credit score scoring constitutes prohibited decision-making when outcomes considerably affect third-party contract choices.

The European Courtroom of Justice ruling in SCHUFA decided that credit score businesses conducting automated likelihood assessments violate Article 22 GDPR when these scores considerably influence whether or not companies set up, conduct, or terminate buyer relationships. Austrian authorities utilized this precedent on to KSV1870’s operations.

Knowledge safety authorities examined whether or not processing certified below Article 22(2) GDPR exceptions allowing automated choices. KSV1870 couldn’t exhibit express consent, contractual necessity, or authorized authorization assembly regulatory necessities. The authority decided that commerce laws part 152 offered inadequate authorized foundation for automated particular person decision-making.

Unsere Wasserkraft efficiently argued contractual necessity below Article 22(2)(a) GDPR for his or her processing actions. The corporate demonstrated that guide creditworthiness verification for six,000-10,000 month-to-month purposes would require roughly 18 full-time workers assuming 30-minute evaluation intervals per utility. Austrian authorities accepted this financial justification, noting that different approaches like advance cost necessities would compromise market competitiveness.

The authority distinguished between KSV1870’s prohibited rating technology and Unsere Wasserkraft’s permitted automated contract choices. Whereas power suppliers confronted reliable enterprise necessity for effectivity, credit score businesses lacked comparable justification for totally automated danger assessments affecting third-party business relationships.

Transparency violations compounded the automated decision-making infractions. In line with the choice, KSV1870’s privateness documentation incorrectly acknowledged that scoring “helps contract companions in decision-making” slightly than acknowledging automated dedication processes. The corporate claimed scores represented “merely suggestions” missing adequate affect for contract rejections.

This characterization contradicted documented proof displaying Unsere Wasserkraft’s unique reliance on KSV1870’s algorithmic outputs. Privateness lawyer Baumann noticed: “Firms should totally confirm whether or not their automated choices adjust to basic privateness rights.”

Each organizations failed offering sufficient details about automated processing below Articles 13 and 14 GDPR. Their privateness insurance policies omitted automated decision-making disclosures, concerned logic explanations, and processing scope descriptions required for algorithmic transparency compliance.

The complainant’s subsequent intervention revealed KSV1870’s rating modification capabilities. Following formal complaints, the credit score company recalculated the person’s RiskIndicator from 403 to 337, representing decreased default likelihood from 3.53% to 1.98%. This 44% likelihood discount occurred with out apparent underlying information modifications, elevating questions on scoring methodology reliability and consistency.

Austrian authorities ordered rapid processing restrictions stopping KSV1870 from calculating scoring values for automated decision-making with out express particular person consent. The prohibition particularly targets algorithmic assessments designed for third-party automated contract analysis slightly than human-reviewed credit score evaluation.

KSV1870 should present complete transparency disclosures detailing mathematical-statistical scoring rules, particular person information ingredient influences on calculated outcomes, and potential contractual impacts for affected individuals inside four-week compliance deadlines. The authority specified necessities for average-person comprehension requirements slightly than technical documentation approaches.

Unsere Wasserkraft acquired comparable transparency obligations regarding their automated decision-making processes, although the authority permitted continued operations below contractual necessity exceptions. The corporate should clarify automated choice logic and supply particular person problem mechanisms assembly Article 22(3) GDPR necessities for human evaluation choices.

The enforcement displays broader European regulatory deal with algorithmic accountability throughout business sectors. Dutch authorities published comprehensive consultation responses on human intervention requirements in June 2025, whereas UK legislation modernized automated decision frameworks by streamlined guidelines balancing innovation with particular person safety.

Latest GDPR enforcement statistics demonstrate €4.2 billion in fines across 6,680 regulatory actions since 2018 implementation. Nevertheless, analysis reveals only 1.3% of European cases resulted in monetary penalties, with important variation amongst nationwide authority enforcement approaches.

The KSV1870 choice represents Austria’s dedication to algorithmic transparency enforcement amid increasing business automation deployment. Credit score scoring techniques significantly face scrutiny following European courtroom precedents establishing strict limitations on automated particular person assessments affecting contractual alternatives.

Major GDPR enforcement actions throughout 2024-2025 focused know-how platforms for processing violations, whereas regulatory focus on cookie consent mechanisms generated substantial penalties for misleading interface designs throughout European markets.

Knowledge safety advocates anticipate appeals from each corporations given the choice’s precedential implications for Austria’s credit score evaluation business. The ruling establishes clear boundaries between permitted enterprise effectivity automation and prohibited particular person algorithmic analysis, doubtlessly affecting comparable business scoring purposes throughout a number of financial sectors.

Timeline

• January 4, 2023: Complainant authorizes ENERGO to barter power provide contracts
• October 17, 2023: ENERGO submits utility to Unsere Wasserkraft at 13:25-13:28
• October 17, 2023: Welcome message despatched at 13:29, rejection discover at 13🕒December 15, 2023: Complainant requests information entry from Unsere Wasserkraft
• January 16, 2024: Knowledge entry request submitted to KSV1870
• February 13, 2024: KSV1870 offers preliminary information disclosure
• March 20, 2024: KSV1870 revises danger rating from 403 to 337 following grievance
• August 29, 2024: noyb recordsdata grievance with Austrian Knowledge Safety Authorit
• September 25, 2025: Austrian authority points choice discovering GDPR violations
• June 3, 2025: Dutch authorities publish AI consultation responses
• June 28, 2025: UK modernizes automated decision legislation
• August 5, 2024: European Commission reports €4.2B in GDPR fines

Abstract

Who: Austrian credit score company KSV1870 Data GmbH and power supplier Unsere Wasserkraft | go inexperienced power GmbH & Co KG, with complainant represented by privateness advocacy group noyb – Europäisches Zentrum für digitale Rechte.

What: Austrian Knowledge Safety Authority dominated that KSV1870’s totally automated credit score scoring system violated GDPR Article 22 prohibitions towards automated particular person decision-making, whereas Unsere Wasserkraft’s automated contract rejections acquired certified approval below enterprise necessity exceptions, with each corporations ordered to offer complete algorithmic transparency disclosures.

When: The violations occurred on October 17, 2023, throughout automated power contract processing, with noyb submitting regulatory complaints on August 29, 2024, and Austrian authorities issuing their definitive ruling on September 25, 2025.

The place: The enforcement motion addresses Austrian business credit score evaluation practices affecting power provide purposes nationwide, with implications for algorithmic decision-making throughout European Union jurisdictions below harmonized GDPR frameworks.

Why: The case establishes precedential limitations on business credit score scoring automation following December 2023 European Courtroom of Justice precedent, defending people from algorithmic assessments considerably influencing contractual alternatives whereas allowing justified enterprise effectivity automation below strict transparency necessities.