Illegal data exchange between address publisher and credit ranking agency
noyb filed a GDPR complaint against the credit ranking agency CRIF GmbH and the address publisher AZ Direct on March 18, 2021. The companies exchange data which violates the GDPR, as well as Austrian law. Address publishers are only allowed to pass on data for advertising purposes, but not to credit agencies for credit rating.
Download: Complaint to the Austrian Data Protection Authority (PDF)
Download: English machine translation of the complaint (PDF)
CRIF and AZ Direct: GDPR violation as a common business model. The complainant had submitted an access request under Article 15 GDPR to CRIF. CRIF stated that it had stored his name, date of birth and some (partly outdated) residential addresses. The only data source mentioned was the address publisher AZ Direct. However, address publishers are only allowed to pass on data for advertising purposes. In the case of CRIF, it was very apparent that they had calculated several creditworthiness scores on the basis of the data received from AZ Direct and sent them to various companies.
Secret data trading. Credit agencies can access publicly available data, like from different registers to collect identification data. However, only a fraction of the population can be found there. Most of the data apparently comes from a different source, namely address publishers which by law, are only allowed to pass on data for advertising purposes.
"The majority of the data credit ranking agencies have come from address publishers - without any legal basis and without ever asking the data subjects for consent or informing them. The complainant also did not know that his data was being collected until his access request, although the GDPR clearly states that he should have been informed about this collection" Alan Dahi, data protection lawyer at noyb.eu
Purpose limitation as an alien concept. The principle of purpose limitation states that data may only be collected for " specified, explicit and legitimate purposes " and may not be further processed for other, incompatible purposes. However, according to the business register AZ Direct is solely an address publisher and is therefore only allowed to pass on data for direct marketing purposes. Nevertheless, CRIF had obviously used the data for credit assessment purposes - a serious violation of the principle of "purpose limitation" according to Article 5 DSGVO.
"Direct marketing and credit rating are two completely different and incompatible purposes. CRIF and AZ Direct are both violating the principle of purpose limitation. In addition, there are possible violations of Austrian trade law, which we are also examining. " Alan Dahi, Data Protection Lawyer at noyb.eu
Not an isolated case. CRIF makes no secret of its relationship with address publishers: address publishers are named in the data protection declaration as regular data suppliers. Moreover, CRIF declares on its website that it has no negative data (i.e. no data on unpaid debts) from more than 90% of the people stored. They therefore inevitably obtain most of the data from address publishers.
"The situation of the complainant is not an isolated case. noyb is aware of several similar cases. CRIF has apparently acquired millions of data records from address publishers such as AZ Direct over a period of years without informing a single person affected. If you have a residence in Austria, there is a high probability that you are also affected." Alan Dahi, privacy lawyer at noyb.eu
The authority’s turn. If the Austrian Data Protection Authority (DPA) follows our complaint, CRIF will have to refrain from such data collection in the future - and delete all the data collected in violation of the GDPR. Furthermore, the DPA can impose a fine of up to €20 million or 4% of the annual turnover on both CRIF and AZ Direct.
"The address trading and credit ranking industries have still not adapted their business practices to the requirements of the GDPR. It is high time that these industries also arrive in the present and respect data protection! " Alan Dahi, Data Protection Lawyer at noyb.eu
Exercise your rights! You can also find out whether CRIF has unlawfully collected your data from an address publisher such as AZ Direct. To do so, send an access request under Article 15 of the GDPR to CRIF (auskunft@crif.com) and ask in particular about the origin of the data processed. More information is available here. CRIF is obliged to provide you with this information within one month. After that, you are welcome to contact us for further steps.
