noyb has scored a stage victory in its proceedings against the credit reference agency CRIF and the address trader Acxiom in Germany. The companies are illegally trading the personal data of millions of Germans. A little over two years ago, noyb therefore filed a complaint. Now the Bavarian data protection authority has ruled that CRIF has misused the purchased data – and therefore violated European data protection law. Meanwhile, the Hessian authority has rejected an application by Acxiom to deny noyb any access to the case files.
Background: Secret, illegal data trading. The credit reference agency CRIF constantly buys personal data such as the names, addresses and dates of birth of millions of Germans from the address trader Acxiom and uses it to assess their creditworthiness. The trade happens secretly and without the consent or a notification of those affected. According to the GDPR principle of purpose limitation, data collected for marketing purposes may only be used for credit scoring with consent. As a result, both companies are in breach of European data protection law.
Data trade declared illegal. The Bavarian data protection authority (DPA), which is handling the proceedings against CRIF, has now followed this assessment: CRIF processed the complainant’s data contrary to the principle of purpose limitation and breached its duty to inform him about acquiring his data from Acxiom. But that’s not all: the authority states that the credit agency provided incomplete answers to a request for information from the complainant and that it even provided false information.
Max Schrems, chairman of noyb: “The German authorities have stood by long enough while CRIF secretly enriched itself with the data of millions of Germans. The fact that the Bavarian data protection authority has now declared the data trading with Acxiom illegal is a good first step. Clear consequences are needed for credit agencies that believe they are above the law."
General ban under review. With its decision, the Bavarian DPA follows a ruling by the Austrian authority (DSB) from March 2023. In a noyb case against the Austrian branch of CRIF, the DSB ruled at the time that secret trading between credit agencies and address traders violates the GDPR and is therefore illegal. Building on this, noyb recently also filed a lawsuit against CRIF in Austria. The Bavarian DPA is currently conducting further proceedings against CRIF Germany, in which it is examining a general ban on the purchase of data from address traders such as Acxiom.
Delay in proceedings by Acxiom. The proceedings against Acxiom (handled by the Hessian data protection authority) are several months behind schedule. The address trader went to court to prevent the complainant from accessing the case files. This brought the entire proceedings to a standstill – which enabled Acxiom to continue its illegal data trading. The court has now rejected Acxiom’s application as inadmissible.