CRIF Bürgel – Complaint Upheld (Germany, 2023)

Controller 1, the credit reference agency CRIF Bürgel, bought personal data, such as the names, addresses and dates of birth of millions of Germans, including of the data subject, from controller 2, the address trader Acxiom, who collected this personal data for direct marketing purposes. Controller 1 used this personal data to assess the creditworthiness of individuals. The data subject requested access to a copy of his data and the information on the processing of his personal data under Article 15 GDPR. Controller 1 replied with information on which personal data was available. However, controller 1 did not provide the data subject with any information on the exact date of receiving the data from controller 2, the storage period, the disclosure of data to certain recipients and the purposes of the transfer. Even after multiple letters and reminders by the data subject to provide this information, the controller did not respond. The data subject also requested controller 1 to restrict the processing of his personal data under Article 18 GDPR. Controller 1 argued that the right to restrict processing only existed if the data in question were incorrect, and therefore rejected the data subject’s request for restriction. The data subject, represented by noyb, then filed a complaint at the Bavarian DPA (“Bayerisches Landesamt für Datenschutzaufsicht”) against controller 1. The data subject, again represented by noyb, filed another complaint at the Hessian DPA (“Hessischer Beauftragter für Datenschutz und Informationsfreiheit “) against controller 2. This summary is on the decision of the Bavarian DPA and thus only concerns controller 1. The data subject argued that controller 1 violated Article 5(1)(b) GDPR, Article 14 GDPR, Article 15 GDPR and Article 18 GDPR. Regarding the violation of Article 5(1)(b) GDPR, the data subject argued that the processing of personal data received from controller 2 by controller 1 violated the principle of purpose limitation. Controlle