CRIF Bürgel – Complaint Upheld (Germany, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Bavarian DPA upheld a complaint against CRIF Bürgel for not providing a person with complete information about their personal data. This matters because it emphasizes the rights individuals have to access and understand how their data is used.
What happened
CRIF Bürgel failed to give a person full details about their personal data and how it was processed.
Who was affected
A German individual whose creditworthiness was assessed by CRIF Bürgel was affected by this lack of information.
What the authority found
The Bavarian DPA found that CRIF Bürgel did not comply with the requirements to provide complete information under GDPR.
Why this matters
This case reinforces the importance of transparency in data processing. Companies must be prepared to provide clear and complete information to individuals about their data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Controller 1, the credit reference agency CRIF Bürgel, bought personal data, such as the names, addresses and dates of birth of millions of Germans, including of the data subject, from controller 2, the address trader Acxiom, who collected this personal data for direct marketing purposes. Controller 1 used this personal data to assess the creditworthiness of individuals. The data subject requested access to a copy of his data and the information on the processing of his personal data under Article 15 GDPR. Controller 1 replied with information on which personal data was available. However, controller 1 did not provide the data subject with any information on the exact date of receiving the data from controller 2, the storage period, the disclosure of data to certain recipients and the purposes of the transfer. Even after multiple letters and reminders by the data subject to provide this information, the controller did not respond. The data subject also requested controller 1 to restrict the processing of his personal data under Article 18 GDPR. Controller 1 argued that the right to restrict processing only existed if the data in question were incorrect, and therefore rejected the data subject’s request for restriction. The data subject, represented by noyb, then filed a complaint at the Bavarian DPA (“Bayerisches Landesamt für Datenschutzaufsicht”) against controller 1. The data subject, again represented by noyb, filed another complaint at the Hessian DPA (“Hessischer Beauftragter für Datenschutz und Informationsfreiheit “) against controller 2. This summary is on the decision of the Bavarian DPA and thus only concerns controller 1. The data subject argued that controller 1 violated Article 5(1)(b) GDPR, Article 14 GDPR, Article 15 GDPR and Article 18 GDPR. Regarding the violation of Article 5(1)(b) GDPR, the data subject argued that the processing of personal data received from controller 2 by controller 1 violated the principle of purpose limitation. Controlle
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for CRIF Bürgel in DE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. CRIF Bürgel - Germany (2023). Retrieved from cookiefines.eu
Last updated: