Right of access as a data protection boomerang?

Feb 08, 2021

Right of access as a data protection boomerang? Credit reference agency collects data from people who request information

On 08.02.2021, noyb filed a GDPR complaint against the credit worthiness data broker KSV 1870. The Austrian credit reference agency stores data from previously unknown individuals who exercise their legal right to access their data without permission.

Right of access as a data protection boomerang? Everyone has a right to obtain information about what data a company processes about them. However, many people are afraid to request information because a company might have even more data on them than before: Often, one has to provide an ID or give their name, address and date of birth in order to receive the requested information. In theory there is no reason to be afraid:  companies are obviously only allowed to use the data for the purpose of providing information and must delete it afterwards. This is not the case with KSV, the industry leader among Austria's credit reference agencies:

KSV: Curiosity killed the cat. The data subject had sent an access request under Article 15 GDPR to KSV. KSV replied that no personal data of the data subject is processed. At least until now. But the next paragraph states: “After receiving your request, the identification data you provided will now be processed in our commercial database in the context of our business under § 152 of the Trade Regulation Act.”

This boldness is astonishing. The KSV receives the data only to answer the access request, but then enters it into its database without permission. Subsequently, the data is used to calculate credit scores, which KSV sells to its customers. Do you want to know whether KSV has your data? Just ask, and they'll have it for sure!” Marco Blocher, data protection lawyer at noyb.eu

Systematic fattening of the database? KSV's approach is systematic – noyb is aware of several similar cases: If a person was unknown to KSV, name, address and date of birth from the access request were stored in the database. If KSV already knew the person, they updated their database based on this information. KSV's actions violate the principle of purpose limitation according to Article 5(1)(b) of the GDPR. According to this principle, data shall be collected for a specified, explicit and legitimate purpose. Further processing for another purpose is only permitted if it is compatible with the original purpose.

People make access requests in order to become aware of data processing – and, if necessary, to take action against it. It’s just grotesque that off all things such requests lead to ending up in the KSV database.” Marco Blocher, data protection lawyer at noyb.eu

noyb keeps a close eye on data brokers. Data trading companies must adhere to particularly strict standards when it comes to data protection. This applies not only to credit reference agencies and address publishers, but also to big tech and social media companies. As these companies have access to huge bulks of data, it is even more important to handle it with great care.

Unfortunately, many so-called “data-driven businesses” have a completely misguided self-image. Once they have data they essentially do whatever they want  – no matter why or how they originally got hold of it. The GDPR has introduced concepts such as purpose limitation to prevent this.. In reality they don’t care too much about that.” Marco Blocher, data protection lawyer at noyb.eu