The frequently criticized credit referencing agency CRIF GmbH has collected addresses, dates of birth and names of almost all Austrians in order to calculate "creditworthiness values" without consent or any other legal basis. The Austrian Data Protection Authority (DPA) has now ruled in a test case that this data was processed illegally. Millions of data records must be deleted.
- Decision of the data protection authority (German)
- Autotranslated Decision (English)
- Link to the test case of noyb
Address publisher illegally gives personal data to credit referencing agency. Most of the core data (name, address, date of birth, gender) that CRIF uses to calculate questionable "creditworthiness values" came from the address publisher AZ Direkt (which belongs to the German Bertelsmann Group). AZ Direct is only allowed to pass on this data only for marketing purposes - not for credit rating calculations. Nevertheless, the data of millions of Austrians (almost the entire resident population) unlawfully ended up at CRIF GmbH for credit agency purposes. noyb has filed a test case on this problematic approach and has now won.
"The GDPR forsees that data may only be used for specific purposes. You can't just sell marketing data to a credit referencing company. The DSB has now proven us right. Millions of people in Austria are affected by this." - Max Schrems, Chairman of noyb.
Millions of people without payment problems recorded and "scored". With the help of AZ Direct, CRIF has data of millions of Austrians, assignes everyone a "credit score" and sells that information to any company. Many mobile phone providers, online stores and banks use this data to find out more about their customers.
"The CRIF database offers addresses and dates of birth of almost every Austrian on demand. For little money, a questionable 'credit score' is also calculated. Customers are not given a cell phone contract or electricity contract if their score is too low. One might have to pay higher loan installments if the bank uses this score. We believe that data should only be collected from manifest defaulters at most - not from the entire population." - Max Schrems, Chairman of noyb
Ban & Appeal expected. This decision is on an individual data subject and only states that the data processing was not lawful. However, the processing was not prohibited by the Austrian data protection authority - the authority refers to a general official prohibition, which is still pending. noyb expects CRIF to appeal this decision since it is a major blow against their business model. A successful appeal is, however, unlikely.
Those affected can gather evidence and request information about their own data from CRIF. Damages may also have to be paid in the future. This depends on the Court of Justice ruling on another case, which will be decided soon.
"We recommend getting a free copy of one's data from CRIF for evidence purposes. It could soon be clarified whether one also receives compensation for the unlawful data processing. Here, however, we are still waiting for other judgments." - Max Schrems, Chairman of noyb.
CRIF heavily under pressure. noyb currently has several ongoing cases against CRIF: for the intrasparent and error-prone calculation of the creditworthiness scores, for not having a legal basis for storing the data of millions of people in Austria, and unlawful data sources. At this point, history repeats itself: f CRIF was already involved in a scandal about illegal data transfer from the judiciary in the 2000s (at that time still under the name "Deltavista").