Credit agency prohibited from collecting data via access requests and civil registries

Credit Scoring
 /  06 February 2023

Credit agency prohibited from collecting data via access requests and civil registries

Two years ago, noyb filed a GDPR complaint against credit data broker KSV 1870. The Austrian credit reporting agency stored unsolicited data from previously unknown individuals who exercised their legal right to access their data. Now, the Austrian Data Protection Authority (DSB) published their ruling on the case: the credit reporting agency may not collect data through access requests and civil registries.

Credit bureau stores data from information requests. Europeans have the right to submit an information request to companies to find out what data is being processed about them. To confirm the identity of the person, a company often asks for additional data: an ID, name, address or date of birth, for example. Naturally, companies may only use this additional information for the purpose of answering an access request and must then delete it again. This is not the case with the industry leader of Austrian credit reporting agencies: KSV 1870 stores information about individuals when they request access to their data.

Systematic approach by KSV. The KSV's approach is systematic - we have received numerous similar cases. A data subject had filed an access request under Article 15 GDPR with the KSV. The credit agency replied that no personal data of the data subject had been processed. At least until now. KSV argued that the additional information provided by the data subject in order to enforce their right to access would now be stored in the "business database". But that's not all: before that, the data subject's information from the access request was compared with their data in the Central Register of Residents and added to the business database.

"The DSB has proven us right: KSV 1870's business model of using information requests from data subjects to enrich its economic database is illegal. Processing any additional information from the civil registry is also clearly illegal. We assume that, in addition to the person we represent, countless other Austrians are affected. These can demand from KSV the deletion of the unlawfully processed data." - Marco Blocher, data protection lawyer at

DPA and noyb agree: KSV acts unlawfully. KSV's actions violate the principle of purpose limitation according to Article 5(1)(b) of the GDPR. This states that data must be collected for a specific purpose. Further processing for another purpose is only permitted if it is compatible with the original purpose. The DPO held that there was no apparent reason for processing the data of the request for access for credit ratings, nor was there a legal mandate for general data collection. In addition, the DPO ordered the deletion of the illegally obtained data.

noyb keeps a close eye on data traders. Industries whose core business is data trading must be held to particularly strict standards when it comes to data protection. The problem is that credit bureaus are hardly regulated: while they are only allowed to process data that is relevant to creditworthiness, there is no definition of what specific information this includes. As credit reporting agencies have access to a lot of data, they must handle it in a particularly responsible manner.