Following an initiative by noyb, more than 2,400 affected individuals requested their data from the credit agency CRIF and have now received it. An evaluation by noyb shows that many well-known Austrian companies, such as Erste Bank, Verbund and Drei, evaluate their customers using CRIF data. Some companies, such as T-Mobile, the online retailer Otto, and the insurance company Allianz, also seem to provide their customer data to CRIF. The initial evaluation of over 40,000 queries with more than 28,000 scores transmitted also shows that men are rated significantly worse than women. People in cities receive a lower score than people on the countryside. noyb will conduct detailed analyses in the coming weeks to evaluate the individual accuracy of the CRIF scores.
Data sources: Three major address publishers. CRIF's address data comes primarily from three address publishers: AZ Direct (part of the Bertelsmann Group), Compass Verlag and DPIT in Vienna. According to § 151 of the Austrian Commercial Code and several court rulings, address publishers may only sell these addresses for marketing purposes. Nevertheless, they end up at CRIF and form the basis for CRIF's credit rating. If the unlawful transfer of address data was to end, CRIF would potentially have to delete the data of almost everyone living in Austria tomorrow. In order to find out where the above-mentioned address publishers obtained the data of everyone in Austria, noyb has now also sent them access requests on behalf of the 2,440 participants. In addition to the three major address traders, telecoms, banks and energy providers also appear as sources of address data on a smaller scale. Here, CRIF customers themselves seem unable to explain how the data ends up at CRIF, according to initial inquiries.
Max Schrems: "Even under existing case law, CRIF's data processing is built on sand. The authorities have turned a blind eye, allowing CRIF to process data on the 90% of the population who have always paid their bills."
"Data verification": Banks and telecoms provide information to CRIF. To the surprise of noyb, companies such as T-Mobile, Drei, bank99, Allianz and Klarna also appear as sources for the "verification" of addresses and data. This is particularly problematic because telecoms providers and banks, for example, are required by law to identify customers with ID. When this data ultimately ends up at CRIF, it goes far beyond what is legally required for the identification of account holders or mobile phone customers. In direct discussions, these companies have always claimed that they do not provide CRIF with any data, but only retrieve it. It is possible that this further use of data is happening behind the backs of banks and telecoms companies. noyb will now contact these companies to seek further clarification. It is still unclear whether these companies are aware that this is happening.
Max Schrems: "What is new is that T-Mobile and Drei, for example, also supply their customer data to CRIF for identity verification purposes. This is particularly tricky because you have to identify yourself with ID at mobile phone providers or banks. This verified data then ends up at CRIF. noyb is now investigating whether this can be legal in any way."
Financial information: Only a few debt collection records. CRIF has payment history data for around 10% of people in Austria. These are mostly debt collection claims – including those that have long been paid. CRIF also stores paid claims for up to 7 years if they exceed €20. Insolvencies appear in only 15 cases out of 2,440 test subjects – presumably because, according to CJEU case law, this data must now be deleted after one year.
Max Schrems: "It appears that CRIF now deletes insolvencies after one year. However, late payments of small amounts are stored for seven years. We cannot understand the logic behind why insolvencies are deleted quickly, but late payments are not."
Klarna is CRIF's largest customer. Based on the 40,000 data records available, the Swedish payment provider Klarna appears to be CRIF's largest customer. However, the insurance company Allianz and the luxury online shop Breuninger also appear among the top users, followed by Erste Bank, the Canadian verification provider Trulioo, credit card provider card complete, TF Bank and bank99. Among energy providers, MaxEnergy, Energie AG and Verbund seem to assess their customers on a regular basis. However, many requests are difficult to explain: for example, real estate companies or law firms have sometimes accessed the data of data subjects even though there was no credit contract or purchase on account. There also seem to be ‘preventive’ queries . At first glance, it appears that some companies use them as a kind of ‘background check’ – without really having a valid reason for making a query. noyb will therefore ask those affected and CRIF's customers more detailed questions in order to find out more about their business relationship with CRIF.
Max Schrems: “At first glance, some queries do not necessarily appear to be justified. We are now asking our more than 2,400 participants whether they have noticed any unlawful queries in their data. It could be that some CRIF customers themselves have violated the GDPR.”
Scores: gender, age and address. The 28,000 scores show that women tend to be given higher scores than men (547 vs 522). Geographical patterns are also apparent. The cities of Vienna (523), Graz (519) and Linz (513) have lower average scores than the rest of Austria (530), although there are significant differences within the cities. However, age appears to have the greatest influence: on average, the score increases by around 2.6 points per year of life.
Max Schrems: "Even with more than 28,000 scores, it still seems clear that for most of those affected, the score is primarily based on address data. Age and gender appear to have only a minor influence on the scores."
noyb asks participants for further tips. In order to gather further information on the practices of CRIF and its partner companies, noyb calls on all 2,440 participants to report any anomalies in their access requests. To this end, noyb has also published a detailed description of all available data fields.
Max Schrems: ‘In most cases, those affected have the best information about what might have been accessed or what might be incorrect. We have therefore called on all participants to check their data and report any inconsistencies to us. We are eager to see what this will reveal.’
Detailed evaluation in the coming weeks. noyb will now work with a professor of financial mathematics to compare the more than 28,000 scores with the actual financial data of those affected to find out whether the CRIF scores are statistically reliable. Currently, all indications seem to suggest that the CRIF score has little or nothing to do with the actual individual financial situation. Further results are expected in the coming weeks. After that, noyb will also decide whether to file a larger class action lawsuit against CRIF. If personal data has been processed unlawfully, those affected could well be entitled to relevant claims for damages.
Update in response to CRIF statement:
Despite allegations of ‘incorrect’ information in this press release, CRIF confirms all statements made by noyb:
- The companies named by noyb are part of the CRIF network
- Data is provided to CRIF by address brokers and also some CRIF customers
- CRIF generates credit scores even though, according to its own statements, it has ‘no information on income and assets’.
Max Schrems: ‘Essentially, there is no dispute about what CRIF and its partners do. The CRIF press release contains no substantive criticism.’
