IPG-owned data giant Acxiom has been caught up in a major breach of GDPR by selling the personal data of millions of Germans to a credit reference agency, which has then used the information without consent to assess customers’ creditworthiness.
The legal case was first launched by the Max Schrems-backed privacy organisation NOYB two years ago against credit reference agency CRIF and Acxiom over the trade in personal data, including consumers’ names, addresses and dates of birth.
NOYB alleges the trade happens secretly and without the consent or a notification of those affected. According to the GDPR principle of “purpose limitation”, data collected for marketing purposes may only be used for credit scoring with consent. As a result, both companies are in breach of European data protection law, the privacy organisation claims.
The Bavarian data protection authority, which is handling the proceedings against CRIF, has now ruled that CRIF processed the complainant’s data contrary to the principle of purpose limitation and breached its duty to inform them about acquiring their data from Acxiom.
The authority also states that the credit agency provided incomplete answers to a request for information from the complainant and that it even provided false information.
The move follows a decision by the Austrian authority in March 2023, which ruled that secret trading between credit agencies and address traders violates the GDPR and is therefore illegal.
Building on this, NOYB recently also filed a lawsuit against CRIF in Austria. The Bavarian DPA is currently conducting further proceedings against CRIF Germany, in which it is examining a general ban on the purchase of data from address traders such as Acxiom.
Meanwhile, Acxiom went to court to prevent the complainant from accessing the case files, bringing the proceedings to a standstill – which enabled Acxiom to continue its trading. However, the court has now rejected Acxiom’s application as inadmissible.
Max Schrems said: “The German authorities have stood by long enough while CRIF secretly enriched itself with the data of millions of Germans. The fact that the Bavarian data protection authority has now declared the data trading with Acxiom illegal is a good first step. Clear consequences are needed for credit agencies that believe they are above the law.”
Related stories
Heathrow first aboard as Acxiom signs Salesforce deal
Acxiom signs deal to add data services to Google Cloud
Acxiom in deal to offer ‘hyper-personalisation at scale’
Acxiom backs GDPR solution to adtech’s data crisis
IPG ties Acxiom and Cadreon for martech ‘revolution’
