Austrian authority rules credit scoring fully automated decisions unlawful

The Austrian Data Protection Authority ruled on September 25, 2025, that credit agency KSV1870 unlawfully employed fully automated scoring to deny energy supplier services to consumers. According to the official decision document, KSV1870's automated calculation and transmission of risk indicators constituted prohibited automated individual decision-making under Article 22 GDPR. The authority imposed immediate processing restrictions and ordered comprehensive disclosure requirements for both companies involved.

The enforcement action emerged from a complaint filed by privacy advocacy group noyb on August 29, 2024, after their client encountered automated rejection from energy provider Unsere Wasserkraft based solely on algorithmic creditworthiness assessment. The rejection occurred within minutes of application submission, demonstrating the fully automated nature of the decision-making process.

KSV1870 operates Austria's commercial credit database under trade licensing regulations section 152. The agency automatically calculated a "RiskIndicator" value of 403 for the complainant, representing a 3.53% probability of payment default within 12 months. According to the decision, this score determination relied on automated processing of personal data without human intervention or individual case review.

Unsere Wasserkraft received monthly application volumes between 6,000 and 10,000 energy supply requests. The company integrated KSV1870's database through automated interfaces, enabling instantaneous creditworthiness verification during customer onboarding processes. When applicants received risk scores above predetermined thresholds, the system automatically cancelled energy supply contracts within minutes of initial acceptance.

The complainant's case illustrated this automated pipeline. Application submission occurred at 13:25 on October 17, 2023, through intermediary ENERGO Energiedienstleistungen GmbH. Unsere Wasserkraft's system generated welcome messages at 13:29, followed immediately by rejection notifications at 13:30 citing "insufficient creditworthiness assessment" through "standard verification procedures with the Austrian credit protection association."

Martin Baumann, data protection lawyer at noyb, stated: "The GDPR contains clear provisions protecting people from unlawful algorithmic deployment. Despite increasingly clear European Court of Justice jurisprudence, many companies continue ignoring these regulations."

According to the authority's technical findings, KSV1870's automated scoring calculation constituted "profiling" under Article 4(4) GDPR through systematic evaluation of personal characteristics predicting individual creditworthiness. The decision referenced December 7, 2023, European Court of Justice precedent in Case C-634/21, which established that automated credit scoring constitutes prohibited decision-making when results substantially influence third-party contract decisions.

The European Court of Justice ruling in SCHUFA determined that credit agencies conducting automated probability assessments violate Article 22 GDPR when those scores significantly impact whether businesses establish, conduct, or terminate customer relationships. Austrian authorities applied this precedent directly to KSV1870's operations.

Data protection authorities examined whether processing qualified under Article 22(2) GDPR exceptions permitting automated decisions. KSV1870 could not demonstrate explicit consent, contractual necessity, or legal authorization meeting regulatory requirements. The authority determined that trade regulations section 152 provided insufficient legal basis for automated individual decision-making.

Unsere Wasserkraft successfully argued contractual necessity under Article 22(2)(a) GDPR for their processing activities. The company demonstrated that manual creditworthiness verification for 6,000-10,000 monthly applications would require approximately 18 full-time employees assuming 30-minute assessment periods per application. Austrian authorities accepted this economic justification, noting that alternative approaches like advance payment requirements would compromise market competitiveness.

The authority distinguished between KSV1870's prohibited score generation and Unsere Wasserkraft's permitted automated contract decisions. While energy suppliers faced legitimate business necessity for efficiency, credit agencies lacked comparable justification for fully automated risk assessments affecting third-party commercial relationships.

Transparency violations compounded the automated decision-making infractions. According to the decision, KSV1870's privacy documentation incorrectly stated that scoring "supports contract partners in decision-making" rather than acknowledging automated determination processes. The company claimed scores represented "merely recommendations" lacking sufficient influence for contract rejections.

This characterization contradicted documented evidence showing Unsere Wasserkraft's exclusive reliance on KSV1870's algorithmic outputs. Privacy lawyer Baumann observed: "Companies must thoroughly verify whether their automated decisions comply with fundamental privacy rights."

Both organizations failed providing adequate information about automated processing under Articles 13 and 14 GDPR. Their privacy policies omitted automated decision-making disclosures, involved logic explanations, and processing scope descriptions required for algorithmic transparency compliance.

The complainant's subsequent intervention revealed KSV1870's score modification capabilities. Following formal complaints, the credit agency recalculated the individual's RiskIndicator from 403 to 337, representing decreased default probability from 3.53% to 1.98%. This 44% probability reduction occurred without obvious underlying data changes, raising questions about scoring methodology reliability and consistency.

Austrian authorities ordered immediate processing restrictions preventing KSV1870 from calculating scoring values for automated decision-making without explicit individual consent. The prohibition specifically targets algorithmic assessments designed for third-party automated contract evaluation rather than human-reviewed credit analysis.

KSV1870 must provide comprehensive transparency disclosures detailing mathematical-statistical scoring principles, individual data element influences on calculated results, and potential contractual impacts for affected persons within four-week compliance deadlines. The authority specified requirements for average-person comprehension standards rather than technical documentation approaches.

Unsere Wasserkraft received similar transparency obligations concerning their automated decision-making processes, though the authority permitted continued operations under contractual necessity exceptions. The company must explain automated decision logic and provide individual challenge mechanisms meeting Article 22(3) GDPR requirements for human review options.

The enforcement reflects broader European regulatory focus on algorithmic accountability across commercial sectors. Dutch authorities published comprehensive consultation responses on human intervention requirements in June 2025, while UK legislation modernized automated decision frameworks through streamlined rules balancing innovation with individual protection.

Recent GDPR enforcement statistics demonstrate €4.2 billion in fines across 6,680 regulatory actions since 2018 implementation. However, analysis reveals only 1.3% of European cases resulted in monetary penalties, with significant variation among national authority enforcement approaches.

The KSV1870 decision represents Austria's commitment to algorithmic transparency enforcement amid expanding commercial automation deployment. Credit scoring systems particularly face scrutiny following European court precedents establishing strict limitations on automated individual assessments affecting contractual opportunities.

Major GDPR enforcement actions throughout 2024-2025 targeted technology platforms for processing violations, while regulatory focus on cookie consent mechanisms generated substantial penalties for deceptive interface designs across European markets.

Data protection advocates expect appeals from both companies given the decision's precedential implications for Austria's credit assessment industry. The ruling establishes clear boundaries between permitted business efficiency automation and prohibited individual algorithmic evaluation, potentially affecting similar commercial scoring applications across multiple economic sectors.

Timeline

• January 4, 2023: Complainant authorizes ENERGO to negotiate energy supply contracts
• October 17, 2023: ENERGO submits application to Unsere Wasserkraft at 13:25-13:28
• October 17, 2023: Welcome message sent at 13:29, rejection notice at 13🕒December 15, 2023: Complainant requests data access from Unsere Wasserkraft
• January 16, 2024: Data access request submitted to KSV1870
• February 13, 2024: KSV1870 provides initial data disclosure
• March 20, 2024: KSV1870 revises risk score from 403 to 337 following complaint
• August 29, 2024: noyb files complaint with Austrian Data Protection Authorit
• September 25, 2025: Austrian authority issues decision finding GDPR violations
• June 3, 2025: Dutch authorities publish AI consultation responses
• June 28, 2025: UK modernizes automated decision legislation
• August 5, 2024: European Commission reports €4.2B in GDPR fines

Summary

Who: Austrian credit agency KSV1870 Information GmbH and energy provider Unsere Wasserkraft | go green energy GmbH & Co KG, with complainant represented by privacy advocacy organization noyb - Europäisches Zentrum für digitale Rechte.

What: Austrian Data Protection Authority ruled that KSV1870's fully automated credit scoring system violated GDPR Article 22 prohibitions against automated individual decision-making, while Unsere Wasserkraft's automated contract rejections received qualified approval under business necessity exceptions, with both companies ordered to provide comprehensive algorithmic transparency disclosures.

When: The violations occurred on October 17, 2023, during automated energy contract processing, with noyb filing regulatory complaints on August 29, 2024, and Austrian authorities issuing their definitive ruling on September 25, 2025.

Where: The enforcement action addresses Austrian commercial credit assessment practices affecting energy supply applications nationwide, with implications for algorithmic decision-making across European Union jurisdictions under harmonized GDPR frameworks.

Why: The case establishes precedential limitations on commercial credit scoring automation following December 2023 European Court of Justice precedent, protecting individuals from algorithmic assessments substantially influencing contractual opportunities while permitting justified business efficiency automation under strict transparency requirements.