Harber Schlag for the business model of the credit agency Crif (formerly Deltavista) in Austria: The local data protection authority (DSB) has decided that Crif has unlawfully processed data from many citizens for years to calculate so-called score values for credit checks. The stumbling block: Crif received information such as names, addresses and dates of birth from the address publisher AZ Direkt Austria, which belongs to Bertelsmann. According to the decision, however, the latter was not authorized to disclose or sell this data for the purposes of credit assessments.
The controversial data processing by the credit agency is not covered by Article 6 of the General Data Protection Regulation (GDPR), writes the DSB in the decision against Crif dated March 24 (Az. D124.3816 2023-0.193.268). The processing is therefore unlawful.
Bertelsmann subsidiary should not have sold data
The authority already determined in July (Az. D124.3817 2021-0.584.299) that AZ Direct violated the principle of earmarking by passing on the data without restriction to direct marketing. Because the data was collected for direct marketing, not for other purposes.
This infringement of rights by AZ Direct cannot be attributed to Crif. However, for data processing to be permissible, all the principles set out in Article 5 GDPR must be observed. According to this, personal information must be “collected for specified, clear and legitimate purposes”.
Noyb celebrates success in test cases
The complaint was submitted by a person concerned with the support of the civil rights organization Noyb, which is now won “test case” speaks. Through the cooperation with AZ Direct, Crif recorded millions of Austrians, assigned them a “credit score” and “offered the data to every company for sale”. Many mobile phone providers, online shops such as Zalando or Media Markt and banks use these benchmarks “to find out more about their customers”.
Customers are “not given a mobile phone contract or electricity contract if the scores are too low,” explained Noyb founder Max Schrems. “It may also be that you have to pay higher loan installments if the bank uses this score.” The entire resident population does not have to put up with such a controversial procedure.
Further proceedings against Crif are ongoing
Contrary to the Noyb application, the DSB has not yet imposed a “very concrete processing ban” on the data purchased from the address publisher. Those affected should not apply for this at all, but will be decided in a separate, officially opened procedure.
Noyb assumes that the DSB will soon issue “a general official ban”. Crif will probably appeal because it’s about the core business. In the meantime, those affected could “collect evidence” and “request information about their own data” from the company in order to possibly claim damages in the future.
It is disputed whether compensation for damages would be due without concrete damage. A case is pending at the European Court of Justice (ECJ), which also originates from Austria: The Austrian post office has secretly calculated the supposed “affinity” of 2.2 million Austrians for certain political parties. A person affected seeks compensation for the “internal hardship” suffered as a result.
Crif did not violate purpose limitation
The Austrian data protection authority rejects another part of the complaint against Cirf with strange arguments: the person concerned also complained that Crif used the data he had bought from AZ Direct for a different purpose than the one originally collected by AZ Direct.
The authority says that Crif wanted the data from the start, i.e. at the time of purchasing AZ Direct, for calculating creditworthiness purposes. Therefore, there is no violation of the principle of purpose limitation on the part of Crif, precisely because Crif never claimed otherwise. Both parties to the procedure can lodge an appeal. heise online invited Crif to comment on Tuesday evening.
(ds)
