Noyb WIN: Austrian authority forbids unlawful credit scoring by KSV1870 (noyb.eu)

Austrian privacy watchdog (DSB) has ruled that credit agency KSV1870’s fully automated credit score — which led energy provider Unsere Wasserkraft to automatically refuse a customer’s contract — was unlawful under the GDPR. The decision follows a complaint by privacy group noyb: the automated assessment was made without the data subject’s knowledge or consent, and both KSV1870 and the supplier failed to meet transparency obligations. The DSB ordered KSV1870 to stop carrying out such automated credit checks on the complainant’s data without consent and to provide a comprehensible explanation of the decision; Unsere Wasserkraft was also reprimanded and must adapt its processes if it continues to assess creditworthiness. The ruling applies established legal precedent: the CJEU’s 2023 SCHUFA decision and Article 22 GDPR bar automated individual decision‑making that has significant effects unless narrow exceptions (e.g., explicit consent or safeguards) are met. Practically, this reinforces that profiling-based refusals of service require prior lawful basis, meaningful human oversight, and clear explanations to data subjects. For the AI/ML community and firms using automated scoring models, the case signals intensified enforcement: models that drive denial decisions must be auditable, explainable, and compliant with consent/transparency rules or risk bans and sanctions. The DSB decision isn’t final and an appeal is expected.