The addresses of millions of Dutch citizens are being traded by data companies such as Experian and Focum. The trade might be illegal because the companies do not ask for consent or ensure it is hidden in a general consent form. The Dutch DPA is investigating whether the practices violate the GDPR. If that is the case, there could be consequences for several countries in the EU where these companies conduct their operations.
The addresses and other personal data of millions of Dutch citizens are easily retrievable in the databases of Experian and Focum. This found RTL News after an investigation by the editors.
Many have access
The data would be traded to companies so they can check whether a consumer will pay off a loan. In addition, debt collection agencies appear to use the services. These will mainly be interested in the addresses of defaulters. In addition, the address is also accessible to private investigation companies, which carries wider risks. According to the data agencies, which describe themselves as credit reporting agencies, in the Netherlands, all licensed detective agencies have access. That’s a list of thousands of companies, but RTL News learned from sources that certainly not all agencies with access are actually registered.
These databases are a treasure trove of information for anyone with access. Especially since around the list can also be found addresses of individuals of Dutch citizens whose addresses are shielded in public records for security reasons. These are addresses of journalists and politicians.
Without permission?
The data is not gathered with the clear permission of the persons in the database. The information collection occurs, possibly without permission, when the person buys a product on credit or takes out a loan. It appears almost impossible to stay out of the database.
It is unclear whether these practices violate European data protection legislation, the GDPR. The Dutch DPA, which monitors compliance with this law in the Netherlands, responded it has not yet finished its investigation: “Several investigations into data traders are ongoing to date. The AP cannot make any announcements about the nature and content of ongoing investigations.”
On its website, Experian describes itself as a company that “helps individuals regain financial control and access financial services, businesses to make smarter decisions and thrive, lenders to borrow more responsibly, and organizations to prevent identity fraud and crime”. The company offers its operations in 30 countries or more, as the LinkedIn page tells they operate in 43 countries. There are active websites in Denmark, Germany, Italy, Sweden and Spain, among others. Thus, should the practices violate the GDPR, there are likely to be consequences in several European member states. For Focum, which is part of Arrow Global, the story is no different. On their website, they state that they conduct their activities across Europe.
Response Experian: stops service in the Netherlands
As part of the investigation, a response was requested from the credit reference agencies involved. Experian indicated that it would discontinue its address lookup service beginning from the end of March. We can assume this is only true for the service in the Netherlands, although this is not confirmed. DataChecker, which uses Focum’s database, is still reviewing whether this capability will be dropped in the future.
Also read: Air France-KLM data leak left customer information vulnerable to scrapers
22 hours ago
