https://usancen.lawthek.eu/en/blog/lawthek/supreme-court-automated-credit-checks-3dcde622/
Data Privacy Law 

Supreme Court: Automated credit checks

Benn-Ibler Rechtsanwälte

ECJ referral  GDPR  automated decision-making  consumer protection  credit checks  data privacy law  payment methods  All tags

The Supreme Court (OGH) had to decide whether the automated rejection of certain payment methods (invoice, partial payment) by a mail order company falls under Article 22(1) of the General Data Protection Regulation (GDPR) and whether this practice is permissible without the consent of customers.

The Association for Consumer Information (VKI) filed a lawsuit for injunctive relief because the defendant automatically performs credit checks on new customers and, if the result is negative, only offers secure payment methods (credit card, PayPal). The VKI considered this to be an inadmissible automated individual decision under Article 22 GDPR.

The defendant argued that there was no legal effect or significant impairment because the contract could still be concluded and that the decision was necessary for the performance of the contract.

The defendant receives around 50,000 to 60,000 orders per month, mainly online. Around 90% of customers choose unsecure payment methods such as invoice or installment payment. New customers are automatically subject to a credit check: if the customer is unknown or the score is red, insecure payment methods are rejected, but the order can be placed by credit card or PayPal. If the score is yellow, an employee decides after a manual check; if the score is green, the order is automatically approved. Orders are never completely rejected, only the payment method is restricted.

 The court of first instance and the court of appeal dismissed the action. The restriction to certain payment methods does not constitute a significant impairment, especially since other reasonable payment options exist. Furthermore, manual verification is not practicable for up to 60,000 orders per month.

 The Supreme Court considered key questions of EU law to be unresolved and referred several questions to the European Court of Justice (ECJ) for a preliminary ruling. In particular, it would like clarification on the following points: 

  1. Whether the restriction to secure payment methods within the meaning of Art. 22(1) GDPR constitutes a “legal effect” or “significantly impairs in a similar manner.”
  2. Whether there must be a direct factual connection between the purpose of the contract and the credit check and whether the data used must be objectively suitable for assessing creditworthiness.
  3. Who bears the burden of proof as to which data is actually processed.
  4. Whether the automated decision itself must be necessary or whether a manual check should also be considered, and what significance customer expectations and the number of orders received have.

The proceedings are suspended pending the decision of the ECJ.

OGH 6 Ob 15/25m (August 13, 2025)



More Services

LawThek Efficient Legal Information LawThek uses cutting-edge technologies like graph databases and AI to make legal information accessible. (opens in new tab) JobThek Legal Jobs The job board for legal professionals – find your next career opportunity in the legal sector. (opens in new tab) LegalNetics Innovative LegalTech Solutions Transform your legal documents into connected knowledge with LegalNetics. (opens in new tab)