BayLDA (Bavaria) - LDA-1085.1-10821/21-F

The DPA held that it was unlawful to use data that was collected for marketing purposes to assess the creditworthiness of data subjects as it violates the principle of purpose limitation under Article 5(1)(b) GDPR.

English Summary

Facts

Controller 1, the credit reference agency CRIF Bürgel, bought personal data, such as the names, addresses and dates of birth of millions of Germans, including of the data subject, from controller 2, the address trader Acxiom, who collected this personal data for direct marketing purposes. Controller 1 used this personal data to assess the creditworthiness of individuals.

The data subject requested access to a copy of his data and the information on the processing of his personal data under Article 15 GPDR. Controller 1 replied with information on which personal data was available. However, controller 1 did not provide the data subject with any information on the exact date of receiving the data from controller 2, the storage period, the disclosure of data to certain recipients and the purposes of transfer. Even after multiple letters and reminders by the data subject to provide this information, the controller did not respond.

The data subject also requested controller 1 to restrict the processing of his personal data under Article 18 GDPR. Controller 1 argued that the right to restrict processing only existed if the data in question were incorrect, and therefore rejected the data subject’s request for restriction.

The data subject, represented by noyb, then filed a complaint at the Bavarian DPA (“Bayerisches Landesamt für Datenschutzaufsicht”) against controller 1. The data subject, represented by noyb too, filed another complaint at the Hessian DPA (“Hessischer Beauftragter für Datenschutz und Informationsfreiheit “) against controller 2.

The data subject argued that controller 1 violated Article 5(1)(b) GDPR, Article 14 GDPR and Article 18 GDPR.

Regarding the violation of Article 5(1)(b), the data subject argued that the processing of personal data received from controller 2 by controller 1 violated the principle of purpose limitation. Controller 1 argued that this was not new processing as they had the same personal data them when it obtained the personal data from controller two.

Regarding the violation of Article 14 GDPR, the data subject argued that he never received any information on the data collection by controller 2 and on the further processing for purposes of creditworthiness assessment by controller 1. This infringed upon the information obligations the controller had under Article 14 GDPR.

Regarding the violation of Article 18 GDPR, the data subject argued that it was unlawful to reject the restriction of processing, as the data subject did not base his request on the accuracy of personal data under Article 18(1)(a) GDPR, but on the unlawfulness of the processing under Article 18(1)(b) GDPR and the legitimate grounds of the processing under Article 18(1)(d).

Holding

The DPA rejected controller 1’s argument that it was not new processing as controller 1 could still deduce from obtaining the data of controller two that the data subject was still a resident at the current address that controller 1 was already storing. Therefore, the DPA held that the data subject should have been informed no later than one month after obtaining the data from controller 2, in accordance with Article 14 GDPR. As this did not happen, the DPA held there was a breach of the information obligation under Article 14(1) GDPR and Article 14(3)(a).

The DPA further held that controller 2’s processing purpose of direct marketing and controller 1’s processing purpose to assess the creditworthiness of individuals were not compatible. The DPA therefore held that controller 1 was in violation with Article 5(1)(b) GDPR and Article 6(4) GDPR.

The DPA also found that controller 1 did not provide the data subject complete information after an access request under Article 15 GDPR. The data subject did not receive the date that his personal data, specifically his address, was processed by the controller. The DPA held that the controller’s lack of answers to the access request violated Article 12(3) GDPR and Article 12(4) GDPR, which obligates the controller to provide information to the data subject without undue delay.

The DPA informed the controller to erase the personal data of the data subject as soon as the data subject withdraws his request to restrict processing under Article 18 GDPR and does not provide evidence of consent for processing pursuant to Article 6(1)(a) GDPR.

The DPA further issued two supervisory warnings to the controller in accordance with Article 58(2)(b) GDPR on the violations of Article 14(1) GDPR, Article 14(3)(a) GDPR and Article 5(1)(b) in conjunction with Article 6(4).

The DPA also issued a supervisory warning to the controller that stated that comparable processing operations in relation to other data subjects, even if they are carried out on the basis of any comparable contracts with other data suppliers, would also constitute an unauthorised change of purpose and violate the principle of purpose limitation. The DPA also requested the controller to not further process personal data of the data subject with a different purpose.

The DPA also held it will conduct further proceedings against the controller to closer examine a general ban on the purchase of data from address traders such as controller 2.

Comment

The DPA followed a ruling by the Austrian DPA (DSB 2023-0.193.268) from March 2023. This case, also filed by noyb, was against the Austrian branch of the controller and the DPA held that secret trading between credit agencies and address traders violates the GDPR and is therefore illegal.

The proceedings against controller 2, Axciom, which is handled by the Hessian DPA is behind schedule. The controller went to court to prevent the data subject from accessing the case files. This brought the entire proceedings to a standstill. The court has now rejected Acxiom’s application as inadmissible, but has not issued a decision yet.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Your reference: C044, (partial) final notice LDA-1085.1-10821/21-F

Subject: Your reference: C044, (partial) final notice LDA-1085.1-10821/21-F

From: "XXXX, XXXX (LDA)" <XXXXXXXX@lda.bayern.de>

Date: December 21, 2023, 1:58 p.m.

To: Legal <legal@noyb.eu>

Your reference: C044

------------------------------------------------
File number: LDA-1085.1-10821/21-F

Dear Sir or Madam,

we are coming back to the above-mentioned complaint of October 18, 2021 and inform you

as a result of the following:

As already roughly explained in our conversation on September 29, 2023, the following findings have arisen for us in the proceedings:

- At the beginning of July 2018, and from then on at other points in time when Acxiom contractually obtained data from the

complainant, CRIF collected/obtained data from Acxiom within the meaning of Art. 14 Para. 1, 3 lit. a GDPR.

CRIF had essentially argued that this was not new processing, since the data was already known to CRIF as delivered. This argument was not convincing for us, since CRIF could at least deduce from the delivery

as a new date that the complainant was still resident at the current address stored with CRIF at the time of delivery, also based on the data from Acxiom. This would have made it obligatory to provide information to the complainant in accordance with Art. 14 GDPR no later than one month after this data delivery.

This did not happen or only happened several years later, so there is a violation of the obligation to provide information under Art. 14 Para. 1, 3 lit. a GDPR.

- Likewise, in the aforementioned processing under the GDPR, CRIF disregarded the fact that the

purpose of processing at Acxiom was direct marketing, while CRIF used the data for the purposes of assessing

creditworthiness in commercial transactions.

This change in the purpose of processing could not be legitimized by Art. 6 Para. 4 GDPR. The purposes are not

compatible. The provisions of Section 24 BDSG are also not applicable, so that overall an inadmissible

change of purpose was made contrary to Art. 5 Para. 1 lit. b in conjunction with Art. 6 Para. 4 GDPR.

In addition to this general violation, the transmission to EOS also constitutes a violation of Art. 5 Para. 1 lit. b

in conjunction with Art. 6 Para. 4 GDPR, since this was at least partly based on the data that was subject to the inadmissible

change of purpose.

- Furthermore, the following deficiencies in particular existed in the processing of the complainant's requests:

The complainant did not receive complete information, in any case because it was not stated since when his

address data record had been processed at CRIF, although this allows conclusions to be drawn about his minimum period of residence at the address

and represents personal data.

In general, with regard to the complainant's requests, it is noticeable that the answers repeatedly did not comply with the content and

deadline-determining requirements of Art. 12 Para. 3 Sentence 1 or Art. 12 Para. 4 GDPR, and in any case the answer

of April 8, 2021 reproduced information that was inaccurate in its general nature in such a way that it was suggested that rights to

correction, deletion and restriction at CRIF would only be considered if the data processed

were incorrect.

Based on the above findings, we have initiated the following measures:

1 of 4 12/21/2023, 4:48 p.m. Your reference: C044, (partial) final notification LDA-1085.1-10821/21-F

- Regarding the deficiencies in the handling of the data subject's requests, we have informed CRIF of the violations but, within the scope of

our discretion, have refrained from taking further supervisory measures under Art. 58 (2) GDPR for the time being.

This does not affect any further official audits that are planned (see below).

- With regard to the complainant's data, for which an inadmissible change of purpose was made in accordance with our statements above or possibly in a comparable manner under the GDPR, we have informed CRIF that deletion must take place immediately as soon as the person concerned withdraws his request to restrict processing and consent for processing within the meaning of Art. 6 Paragraph 1 Subparagraph 1 Letter a of GDPR is not simultaneously proven. - With regard to the violations of Art. 14 Paragraph 1, 3 Letter a of GDPR and Art. 5 Paragraph 1 Letter b in conjunction with Art. 6 Paragraph 4 GDPR that occurred in the complainant's case, we have issued CRIF with two supervisory warnings in accordance with Art. 58 Paragraph 2 Letter b of GDPR. With reference to the legal findings of these warnings, we have also issued a supervisory warning to CRIF pursuant to Art. 58 (2)(a) GDPR to the effect that comparable processing in relation to other data subjects, even if carried out on the basis of any comparable contracts with other data suppliers, would also constitute an impermissible change of purpose contrary to the data protection principle of purpose limitation on the part of CRIF. This does not affect any further official examinations that are intended (see below). - We have also requested confirmation from CRIF that further comparable processing that changes the purpose will not be carried out in relation to the complainant. The most recent response we received from CRIF on this matter is as follows: "Our client [note: BayLDA: CRIF] hereby confirms that it will not process the complainant's personal data for a purpose other than that of the complainant, in such a way that the complainant's personal data, which it has or will collect in accordance with the contract for the purpose of direct marketing and not for the purpose of assessing creditworthiness, will be processed by way of a change of purpose for assessing creditworthiness without the complainant's consent." According to our current assessment, this confirmation does not fully cover the processing that we consider to be inadmissible. Before we therefore examine a supervisory ban, however, we consider it necessary to wait for the assessment by the supervisory authority in Hesse on the processing by Acxiom, which is closely related to the processing considered here at CRIF, so that we are postponing a decision on this point. On this point, therefore, only a partial conclusion is made, which is also made clear to CRIF. This does not affect any further intended official examinations (see below). In addition to these measures, we have already expressly reserved the following further steps towards CRIF. Since it appears more effective in the context of data protection enforcement to look at the underlying data protection processes

rather than just the handling in the individual case at hand, their review / implementation should, as already explained on

September 29, 2023, be carried out step by step in separate official proceedings, detached from the individual case at hand:

- A closer official review of the practice of inadmissible changes of purpose, which we consider to be more far-reaching / systematic based on the present case.

- A closer official review of the admissibility of processing data of data subjects (also outside of

industry pools) without there being any negative characteristics for these data subjects.

- A closer official review of whether CRIF generally complies with the standards and

specifications of Art. 13 and 14 GDPR in conjunction with Art. 12 GDPR when fulfilling its information obligations, as doubts arose in this regard, among other things, during the processing of the present case.

2 of 4 December 21, 2023, 4:48 p.m. Your reference: C044, (partial) final notice LDA-1085.1-10821/21-F

- A closer examination ex officio as to whether the information provided by CRIF meets the requirements of Art. 15 GDPR;

for example, more specifically, whether it generally contains all personal data that CRIF processes on data subjects, whether the information meets the requirements of Art. 15 Para. 1 lit. g GDPR and whether the obligations of

Art. 15 Para. 1 lit. c GDPR are sufficiently fulfilled.

- We have also reserved the right to include the findings of the present proceedings in any future

fine proceedings or to take them up independently.

With these findings / measures, we are discontinuing the complainant's individual case for the time being (see above, regarding
Partial conclusion of any ban).

Without prejudice to our position, affected persons have the opportunity to assert alleged violations in parallel /
additionally directly in civil court against a responsible party (Art. 79 GDPR). The civil courts
are independent in their decision and are not bound by our assessments. Any decisions on compensation

for damage suffered, if such should be assumed, would be reserved exclusively for the civil courts,
so we make no statement in this regard.

Kind regards

XXXX
Department 1
Bavarian State Office for Data Protection Supervision

Promenade 18
91522 Ansbach
Tel.: 0981 180093113

PC fax: 0981 180093813
Email: XXXXXXXX@lda.bayern.de https://www.lda.bayern.de

Information on the processing of your personal data:
The Bavarian State Office for Data Protection Supervision is responsible for the processing of your personal data in the context of the

present contact. Further information on the processing of your data, in particular on

the rights to which you are entitled, can be found on our homepage at

www.lda.bayern.de/Informationen or by any other means using the above-mentioned

contact details.

Instructions on legal remedies

With reference to Articles 77 and 78 of the GDPR, we would like to point out that an appeal can be lodged against this

decision with the

Bavarian Administrative Court of Ansbach,

Promenade 24-28, 91522 Ansbach

Information on instructions on legal remedies

The appeal can be lodged in writing, in writing or electronically in

a form approved for replacing the written form. The filing of an

appeal by simple email is not permitted and has no

legal effect!

3 of 4 December 21, 2023, 4:48 p.m. Your reference: C044, (partial) final notice LDA-1085.1-10821/21-F

From January 1, 2022, the group of people named in Section 55d of the Administrative Court Act (VwGO)

(in particular lawyers) must generally file lawsuits electronically.

By virtue of federal law, in legal proceedings before the administrative courts, a procedural fee is due as a result of the filing of the action.

4 of 4 12/21/2023, 4:48 p.m.