On Tuesday, noyb filed a GDPR complaint against the Vienna-based address broker AZ Direct Österreich GmbH. The company, which belongs to the Bertelsmann group, had refused to provide information on the origin and recipients of the data processed. The reasons given were shocking: The address broker claims not to know where the data came from – it would have been too burdensome to record that. Nevertheless, data is collected day in, day out and sold to advertisers. These recipients who receive data from AZ Direct were also not revealed.
Download: Complaint to the Austrian data protection authority
Data of allegedly unknown origin and made-up legal provisions. The data subject had sent an access request under Article 15 GDPR to AZ Direct. He also asked from where the address publisher had collected his data and to whom it had been sold. AZ Direct stated that, among other things, it had stored (former) residential addresses of the data subject. However, the address broker claimed not to know how it had gotten this data. The allegedly only available information was that one of the addresses had been collected "due to a relocation [of the data subject]".
AZ Direct did not provide any detailed information on the origin of the data – although the GDPR explicitly requires this. AZ Direct merely stated that "all data is constantly being kept up to date through own research". However, "separate records of the respective concrete origin" were not kept.
Marco Blocher, data protection lawyer at noyb: "AZ Direct's statements are absurd. Trading in address data for third-party advertising purposes is the core business of this company. They have to know where the data comes from. This isn’t even only data protection, it is also in the own interest of an address broker. Think of it: a supermarket also needs to know where its meat, dairy products, and bread come from."
AZ Direct justifies its alleged ignorance with a reference to non-existent legal provisions: Precise records on the origin of the data would be an "excessive effort in the sense of the DSG". This is remarkable as neither the DSG (the Austrian Data Protection Act) nor the GDPR provide for such an exception. AZ Direct’s legal claim is made-up and a sorry excuse for not having any records on the origin of the data, despite follow-up requests by the data subject.
Marco Blocher: "AZ Direct is subject to accountability under data protection law and must be able to prove at all times that the rules of the GDPR are being observed. How can they do so if they have no idea where the data comes from? They would never be able to comply with a data subject’s access request – let alone ensure that the data is correct in terms of content. Either AZ Direct is deliberately withholding information on the origin of the data, or they have a massive structural problem, which makes their entire business model incompatible with the GDPR. In either case, there is a need for explanation. A made-up legal provision cannot change this."
The data recipients are also kept secret. Not only the "where from" but also the "where to" of the data remains opaque. According to the GDPR, the reply to an access request must also contain information on who the recipients of the data were. AZ Direct remains silent in this regard as well and only gives possible categories of recipients but refuses to say to whom exactly which data was transmitted.
Marco Blocher: "When it comes to the data sources, they claim to know nothing and when it comes to the recipients, they refuse to say anything. In the end, the data subject is taken for a fool. As if by magic, the data apparently popped up in the address broker’s system and might have been passed on to someone else. There is no more information. Under the GDPR, a data subject should be able to track where their data is being sent so that they can take action against unwanted processing. AZ Direct turns address broking for advertising purposes into a black box. This is unacceptable."
noyb is dedicated to ensure transparent data processing. Just as noyb's complaints against streaming services such as Netflix, Amazon Prime or YouTube, the complaint against AZ Direct is ultimately about transparency – one of the GDPR’s principles. In order to guarantee this, a data subject is entitled to access their data for free. In practice, however, this often leads to people running into walls.
Marco Blocher: "An access request should allow a data subject to assess the lawfulness of the data processing. However, if a company ignores the law and provides no information or only incomplete information, this is often not possible. The only way left is to apply to the competent data protection authority to force the company to provide the requested information in compliance with the GDPR. In the present case, we hope that the authority will make use of its extensive powers and investigate the case thoroughly. Especially in industries whose core business is data trading, systematic intransparency must not be tolerated."