Credit agency CRIF systematically withholds data from consumers

Credit Scoring
 /  01 June 2023

noyb's legal proceedings against the credit reporting agency CRIF are uncovering a multitude of legal violations and cynical interpretations of the GDPR, exposing a swamp of misconduct. These violations include incorrect credit scores, unlawful data collection, and deliberate withholding of information when data subjects submit requests to the credit agency. CRIF's tactics rely on the hope that most individuals will give up their pursuit of information. In response, noyb has filed a complaint addressing these repeated violations, bringing attention to the thousands of instances where individuals' rights are being violated.

missing piece

Structural partial answers. According to Article 15 GDPR, every consumer has a right to receive all data that credit bureaus like CRIF store within one month. However, CRIF's response fails to indicate the source of the data on the data subject, and it only includes information about recipients of creditworthiness data from the past six months. Such selective disclosure contradicts the GDPR, which mandates the prompt and complete provision of information without any arbitrary withholding by companies.

Max Schrems, Chairman of noyb: "It is almost bizarre to what extent CRIF disregards the GDPR. At every turn, a new violation of the law is uncovered, showcasing the extent to which CRIF flouts regulations. The motive behind withholding information is transparent: by concealing information, CRIF hopes to avoid inconvenient inquiries. However, most consumers are unaware that the provided data is only a partial extract, leaving them unaware of the full extent of data processing."

Violation of rights happens intentionally and systematically. The intentional and systematic violation of rights becomes apparent through CRIF's incomplete provision of information. noyb has come across numerous cases where data subjects have only received additional information after persistent follow-ups and intervention from data protection authorities. The more determined individuals are, the more information seems to magically appear. In most cases, it becomes evident that the data was collected from address publishers and shared far more extensively than initially acknowledged. However, the GDPR clearly places the responsibility of providing access on the data controller, emphasizing that they must facilitate the exercise of this right. CRIF, on the contrary, does the opposite.

Max Schrems: "CRIF tries to disguise its questionable practice with every trick in the book. Despite the GDPR's explicit requirement that you have to receive all information directly, CRIF engages in evasive tactics."

Report to the data protection authority, substantial penalty could be imminent. Given the systematic, intentional, and flagrant nature of CRIF's violations, it is undeniable that they warrant punitive measures. Recognizing this, noyb has filed a complaint with the data protection authority, in addition to the individual complaints from affected data subjects. noyb estimates that a significant number of people, likely reaching a five-digit figure, are affected by the incomplete information provided by CRIF each year.

Max Schrems: "If a company that primarily works with personal data structurally ignores the GDPR, the authority must certainly also set an example with proper penalties. This is not about a misunderstanding or a different legal opinion, here consumers are deliberately deprived of their rights."