Online retailers often offer various payment methods: credit card, PayPal, instant bank transfer, purchase on account, or installment payment. Especially with less secure payment methods, retailers regularly perform automated checks to determine whether they consider the customer a risk of default. From a data protection perspective, the question arises as to when such a credit check qualifies as an automated decision within the meaning of Article 22 of the GDPR. The Supreme Court recently addressed this issue and referred fundamental questions of interpretation to the Court of Justice of the European Union.
An Austria-wide mail-order company offered its online customers various payment methods, including options with a higher risk of default for the retailer, such as purchase on account and installment payment. If a customer selected one of these payment methods, the company conducted a credit check using both internal and external data (particularly from credit reference agencies). .
The decision to accept an insecure payment method was automated. If the system detected an increased risk, the customer was denied the requested payment method. While the customer could then choose other payment methods, such as credit card or PayPal, payment by invoice or installment plan was not available.
The plaintiff association argued that this constituted a violation of Article 22 of the GDPR. This provision protects individuals from being subject to a decision solely based on automated processing which produces legal effects concerning them or similarly significantly affects them. The lower courts initially denied that such a significant effect had occurred, but the Austrian Supreme Court (OGH) had doubts about the interpretation of Article 22 of the GDPR under EU law and referred several questions to the Court of Justice of the European Union (CJEU) for a preliminary ruling.
The central question is whether the automated rejection of a particular payment method constitutes a decision within the meaning of Article 22 GDPR that "significantly affects" the data subject in a similar way to a decision with legal effect. Furthermore, the Supreme Court raises questions regarding the further structure of the review under Article 22 GDPR, in particular the requirements for the admissibility of automated decisions pursuant to Article 22(2) GDPR and the necessary safeguards under Article 22(3) GDPR, such as the right to human intervention.
The Austrian Supreme Court's decision highlights the considerable uncertainty under EU law regarding automated credit decisions in online retail. Until the European Court of Justice (ECJ) clarifies the situation, companies are advised to design such systems restrictively and with a focus on risk. Automated decision-making processes should be designed not only to be technically efficient but also legally sound. The focus here is on a clear separation of scoring and decision-making, a robust legal basis, and effective safeguards for the individuals concerned.
Supreme Court 13.08.2025, 6 Ob 15/25m