Illegal credit scores: noyb to amplify pressure

Oct 18, 2021

Illegal credit scores: noyb to amplify pressure

Today, noyb filed a complaint against the address trader Acxiom and the credit reference agency CRIF Bürgel in Germany. Their illegal trade with personal data of millions of Germans violates the GDPR as well as national data protection law. Data originally collected for direct marketing may not be used to calculate creditworthiness without consent of the data subjects. Following a similar complaint in Austria, noyb is thus taking a further step in the fight against unlawful data trading between address publishers and credit reference agencies. 

CRIF Bürgel uses data sets that were originally collected for direct marketing from Axciom and judges millions of citizens’ creditworthiness on that basis. This clearly violates the basic principle of the GDPR that data may only be collected for "specified, explicit and legitimate purposes".

"A very large part of credit bureau data comes from address publishers - and without a legal basis. All of this is done secretly, without ever asking for consent or informing the data subjects. That’s against the law." - Alan Dahi, data protection lawyer at noyb

Sneaky business ties. Data subjects usually have no idea that their data is being collected, processed and shared. They certainly don’t expect their creditworthiness to be calculated and sold based on their name, address and birthdate. While the complainant in this case had himself requested information from CRIF Bürgel and Acxiom, most people only learn about the misuse of their data when they are confronted with the consequences.

"When people are suddenly denied a loan, cannot make a purchase on account or conclude a cell phone plan, they usually don’t understand why. How creditworthiness is calculated and where the data comes from is highly opaque. " - Alan Dahi, data protection lawyer at noyb

Unlawful business practices and "voodoo credit scores". Credit scores must always be based on payment experience data. Using demographic data such as name, address and date of birth is not only flimsy, but also illegal: In June 2018, the German Data Protection Conference held that "Positive Data" - i.e. data that is not based on past payment experiences - may only be processed with the consent of the data subject. Also, the Federal Data Protection Act explicitly prohibits calculating a credit score solely on the basis of address data. Nevertheless, in in this specific case, CRIF Bürgel attributed a score only on the basis of the data subjects name as well as his current and former residential address. Such "voodoo data generation" has already led noyb to issue a complaint to the Austrian data protection earlier this year.

Almost everyone in Germany affected. The complainant's situation is far from exceptional. According to CRIF Bürgel’s own information, their database contains records on almost all private individuals participating in economic life. In figures, this concerns "more than 62 million private individuals in Germany", according to CRIF Bürgel.

"The situation of the person we represent is unfortunately not an isolated case. noyb has several similar cases. If you have a residence in Germany, there is a high probability that you are also affected and that CRIF Bürgel and Acxiom are secretly doing business with your data."  - Alan Dahi, data protection lawyer at noyb

Other credit reference agencies such as Schufa also engage in similar business practices. These are currently subject to further investigations by noyb.

You want to know what data CRIF Bürgel has about you and where it comes from? Send an email to selbstauskunft@crifbuergel.de. CRIF Bürgel must reply to your request within one month.

 

We also asked the complainant how he had found out about the misuse of his data and what changes he would like to see from credit reference agencies and address traders in the future: