Austria's Supreme Administrative Court ruled on June 11, 2026, that the macroeconomic statistical parameters a credit bureau feeds into a scoring algorithm do not, on their own, count as personal data under the General Data Protection Regulation, overturning a lower court that had ordered the bureau to hand them over.
The decision, filed under reference Ra 2026/04/0001-11 and issued in Vienna, set aside part of a November 14, 2025, judgment by the Federal Administrative Court. That earlier ruling had found a credit agency in breach of a data subject's right of access under Article 15(1) of the GDPR for withholding the statistical criteria used to calculate his creditworthiness score. The higher court disagreed on the central legal point and struck down that finding, while ordering the federal government to reimburse the appellant company 1,446.40 euros in costs within two weeks.
The judgment lands at a sensitive moment. The meaning of "personal data" - the concept on which the entire consent and access architecture of European data protection rests - is under simultaneous pressure from courts, regulators, and legislators. The European Commission has proposed narrowing the definition in Article 4(1) of the GDPR, and privacy watchdogs have pushed back hard. Into that contested terrain, the Austrian court has drawn a line between the individual output of a scoring model and the abstract inputs that produce it.
What the court decided
The case began years before it reached the top court. In an email dated April 28, 2021, a consumer identified in the ruling only as the co-party requested, for the first time, information about the data a credit bureau held on him, invoking Article 15 of the GDPR. In a letter dated September 2, 2021, he filed a complaint alleging that the response he received was incomplete.
The Austrian Data Protection Authority took up the matter. In a decision dated December 30, 2021, it partially upheld the complaint, finding a violation of the right of access because the bureau had not supplied information required under Article 15(1)(h) of the GDPR - the provision covering the logic of automated decisions. The authority dismissed the rest of the complaint, reasoning that there was no evidence the bureau processed any further personal data.
The consumer challenged the dismissed portion before the Federal Administrative Court. He argued that the statistical criteria used to calculate his credit score also constituted personal data, because they were linked to his age and place of residence and therefore associated with him. On that reading, the parameters fell within the disclosure obligation of Article 15(1).
The Federal Administrative Court agreed with him. Following an oral hearing, it ruled on November 14, 2025, that the bureau had violated the consumer's access right by failing to disclose the statistical data relating to him that it had used to compute the rating. It ordered the company to provide that information within four weeks, subject to enforcement, and declared any further appeal inadmissible. The bureau, represented by the Vienna law firm Fieldfisher, filed an extraordinary appeal anyway.
The Supreme Administrative Court accepted the appeal as admissible precisely because it raised an unsettled question of law, and then ruled in the bureau's favor. The panel, presided over by Senate President Dr. Lukasser, set aside the partial grant of the complaint on the grounds that its content was unlawful.
The reasoning: outputs versus inputs
At the core of the decision sits a distinction between two kinds of data. On one side is the credit score itself, the individualized result of an automated calculation. On the other are the macroeconomic statistical parameters that the algorithm uses as calculation features, values that depend on broad economic developments and may be identical for many people.
The court accepted, as settled law, that the score and other individualized probability statements are personal data. It cited its own December 14, 2021, reasoning in case Ro 2021/04/0007, which held that the term "personal data" must be read broadly and covers not only verifiable facts about a person but also assessments and judgments, such as calling someone a reliable employee. Probability statements qualify as personal data regardless of whether they concern the past, present, or future, and regardless of whether they are accurate. Under Article 4(1), a natural person is identifiable if they can be pinpointed directly or indirectly through identifiers or through factors specific to their economic, cultural, or social identity.
The lower court had leaned on a line of cases about "party affiliations" to reach the parameters. In rulings by the Supreme Court on April 15, 2021 (6 Ob 35/21x) and by the Administrative Court on December 14, 2021, statistically derived estimates of political leanings assigned to individuals had been classified as personal data. The Federal Administrative Court read those precedents to mean that the statistical building blocks behind the score were themselves personal data.
The Supreme Administrative Court rejected that inference. The party-affiliation cases, it held, concerned assessments individually attributed to specific people, which is why the data qualified. That case law does not mean the abstract statistical values used to derive a probability value assigned to an individual are themselves personal data. The court pointed to a further distinction the Supreme Court had drawn: in election analyses, where statistically collected values are not tied to identifiable individuals, no statement is made about any one person's presumed voting behavior, and no personal data is generated.
Applying that logic, the court concluded that general macroeconomic statistics do not, in principle, constitute personal data. The fact that a bureau may have used a particular statistical value to help calculate a figure assigned to a data subject does not transform the underlying value - which is not inherently attributable to any individual - into personal data. On that basis, the Federal Administrative Court had erred, and its finding of a violation could not stand.
A deliberately narrow ruling
The judgment is careful about what it does not decide. The court stated explicitly that the separate question of whether those model parameters must be disclosed under Article 15(1)(h) of the GDPR - the provision on the logic of automated decision-making - was not before it. That part of the original request had been dealt with in the data protection authority's decision and was the subject of parallel proceedings.
The distinction matters. The court did not rule that a person subjected to automated credit scoring has no right to understand how the system reaches its conclusions. It grounded its finding of no violation on the introductory sentence of Article 15(1), the general right to access one's personal data, rather than on the automated-decision transparency provision. In other words, the ruling addresses whether the statistical inputs are personal data in their own right, not whether a bureau owes an explanation of its scoring logic through a different door in the same article.
That leaves the transparency route open. It is a route European courts have been widening.
Why this matters for the marketing and data industry
Credit scoring is a branch of the same machinery that powers behavioral advertising, audience segmentation, and identity resolution: statistical models that ingest a mix of individual and aggregate signals to produce a value attached to a named person. The question the Austrian court confronted - when a general statistical input becomes personal data because of how it is used - runs straight through ad tech.
European regulators have spent the past year pulling automated scoring closer to the center of data protection enforcement. The Austrian Data Protection Authority ruled in September 2025 that credit agency KSV1870 unlawfully used fully automated scoring to deny a consumer energy services, applying the Court of Justice's SCHUFA precedent on Article 22. Months earlier, the Federal Administrative Court had mandated greater transparency in automated credit decisions, finding that a bureau failed to provide adequate information about its scoring logic under Article 15. In Germany, a Wiesbaden court held that SCHUFA must explain why credit scores hurt consumers, ordering individualized disclosure of the factors behind an 85.96% assessment. The direction of travel in those cases pointed toward more disclosure, not less.
The June 11 ruling complicates that picture rather than reversing it. It does not shield scoring systems from scrutiny; it narrows one specific claim - that every statistical ingredient is itself accessible personal data - while leaving the automated-decision transparency obligations untouched. For any organization running scoring or profiling models, the practical boundary the court drew is between the individualized output, which remains firmly personal data, and the shared statistical parameters, which the court treated as belonging to a different category.
That boundary is precisely what is being renegotiated at the European level. The European Commission has proposed narrowing the GDPR's definition of personal data in its Digital Omnibus package, introducing a "relativity" approach under which information is not personal data for an entity that lacks the reasonably likely means to identify a person. The Netherlands raised serious concerns about the Digital Omnibus privacy changes, warning that some amendments go beyond streamlining. The European Data Protection Board and the European Data Protection Supervisor issued a joint opinion warning the proposal would significantly narrow the concept of personal data. Around the same terrain, the EDPB replaced its 2014 anonymity test with a three-part framework for ad data, reworking how the industry decides when a dataset falls inside or outside the regulation.
An Austrian court holding that abstract statistical parameters sit outside the definition of personal data feeds directly into that debate. The reasoning tracks the logic the Commission is trying to codify: data that is not inherently attributable to an individual should not automatically be treated as that individual's personal data merely because it passes through a calculation about them. Whether the courts and the legislature ultimately converge on that view, or pull apart, will shape the compliance obligations of every company that builds a profile from a blend of personal and statistical inputs.
Timeline
- April 27, 2016: Regulation (EU) 2016/679 (the GDPR) adopted
- April 28, 2021: Consumer files first access request with the credit bureau under Article 15
- September 2, 2021: Consumer files a complaint alleging the response was incomplete
- December 30, 2021: Austrian Data Protection Authority partially upholds the complaint, finding a violation over missing Article 15(1)(h) information, and dismisses the rest
- November 14, 2025: Federal Administrative Court rules the bureau violated Article 15(1) by withholding the statistical scoring criteria, and orders disclosure within four weeks
- June 11, 2026: Supreme Administrative Court sets aside that finding, holding the statistical parameters are not personal data, and awards the bureau 1,446.40 euros in costs
Related PPC Land coverage
- Austrian authority rules credit scoring fully automated decisions unlawful - The Austrian Data Protection Authority found KSV1870's fully automated creditworthiness scoring breached Article 22 of the GDPR.
- Austrian court mandates greater transparency in automated credit decisions - The Federal Administrative Court found a credit agency failed to provide adequate information about its automated scoring logic under Article 15.
- German court says SCHUFA must explain why credit scores hurt consumers - A Wiesbaden court ordered SCHUFA to give individualized explanations of the factors behind an automated credit score.
- European Commission proposes major GDPR changes for AI and data processing - The Digital Omnibus package seeks to narrow the Article 4(1) definition of personal data through a "relativity" approach.
- Netherlands raises serious concerns about EU Digital Omnibus privacy changes - The Dutch government warned that proposed changes to personal data definitions go beyond simplification.
- EDPB replaces 2014 anonymity test with 3-part framework for ad data - New guidelines reset how advertising and identity firms determine whether a dataset counts as personal data.
Summary
Who: Austria's Supreme Administrative Court (Verwaltungsgerichtshof) in Vienna, ruling on an extraordinary appeal by a credit bureau represented by the law firm Fieldfisher, with the Data Protection Authority as respondent and the consumer complainant as intervening party.
What: The court set aside a Federal Administrative Court finding that the bureau had violated Article 15(1) of the GDPR, holding that the macroeconomic statistical parameters used to calculate a credit score are not, in themselves, personal data. It awarded the bureau 1,446.40 euros in costs and left open the separate question of disclosure under the automated-decision provision, Article 15(1)(h).
When: The ruling issued on June 11, 2026, under reference Ra 2026/04/0001-11, following a case that began with an access request on April 28, 2021, and a Federal Administrative Court judgment on November 14, 2025.
Where: Vienna, Austria, with implications across the European Union given the shared GDPR framework and cross-border weight of Austrian data protection jurisprudence.
Why: The court distinguished the individualized output of a scoring model, which remains personal data, from the abstract statistical inputs, which it held are not inherently attributable to any individual. The finding intersects with a live European fight over narrowing the definition of personal data under the Commission's Digital Omnibus package.
Discussion