GuiGui's Show

An investigation into data flows at the Austrian credit agency CRIF has shed further light on the matter: most of the address data in the CRIF database comes from address brokers AZ Direct (Bertelsmann Group), Compass-Verlag and DPIT in Vienna. But where do these address traders get their data from? A new noyb evaluation involving more than 2,400 affected individuals shows that they access public registers such as the company and land registers, the register of associations and the Business Information System (GISA) which was introduced in 2015. Compass also lists the chamber of commerce (WKO) as a data source. However, it remains unclear where AZ Direct (CRIF’s largest data supplier) obtains its data. AZ Direct says it does not know where it got the data on 7 million people in Austria.

[…]

Government does nothing to combat ‘scraping’ of public registers? Public registers are indispensable in a well-administered state of law (e.g. to check whether someone has a business licence or is the owner of a property). In the past, this had to be done manually. Thanks to digitalisation, most registers are now also available online – but apparently often without sufficient protection against large-scale ‘scraping’. Basic protective measures such as captchas, query limits per IP address, or terms and conditions that clearly stipulate that data may only be used for specific purposes (e.g. to verify a trade, ownership, or power of representation) seem to be lacking.

The law is clear: public registers are subject to ‘purpose limitation’. Not only is it obvious that this commercial reuse is not in the public interest, it also violates the GDPR principle of ‘purpose limitation’ in Article 5(1)(b) GDPR. The Austrian Data Protection Authority (DSB) has already decided with regard to the Registry of Deeds that, for example, further processing for advertising purposes violates the GDPR. The well-known CJEU ruling on the ‘right to be forgotten’ also concerned legally published data, which, however, could not simply be reused by Google Search.

Max Schrems: “Just because data is publicly available does not mean it can be used for any purpose. You cannot simply film people on a public street for your own purposes.”

Détournement de finalité / mésusage des registres de transparence (registre des sociétés, registre des associations, registre des propriétés). Dingue parce que, en parallèle, d'après la CJUE, les registre des bénéficiaires effectifs ne peuvent pas être ouverts au public.

Le merdier de la compilation et revente de données à caractère personnel par des courtiers / data brokers… Impressionnant. Tout ça pour de la notation en vue d'un crédit…

#RGPD