By Dave McKay | December 3, 2020
On Tuesday, My Privacy is None of Your Business (NOYB) filed a GDPR complaint against AZ Direct Österreich GmbH. They are an address broker—they sell personal data—based in Vienna.
They refused to reveal where they get their data from and with whom it had been shared. They claimed they didn’t know because they didn’t bother recording it. It would have been “too burdensome”.
A data subject had sent a data subject data access request and asked from where the address publisher had collected his data and to whom it had been sold. AZ Direct could not comply with this mandatory step. They did not—they say could not—provide any detailed information on the origin of the data even theough the GDPR explicitly requires this.
Marco Blocher, data protection lawyer at NOYB said:
“AZ Direct’s statements are absurd. Trading in address data for third-party advertising purposes is the core business of this company. They have to know where the data comes from. This isn’t even only data protection, it is also in the own interest of an address broker. Think of it: a supermarket also needs to know where its meat, dairy products, and bread come from.”
AZ Direct tried to claim an exemption that doesn’t exist. Records on the origin of the data would be an “excessive effort in the sense of the DSG”. But neither the DSG (the Austrian Data Protection Act) nor the GDPR contain such an exception.
Marco Blocher commented:
“AZ Direct is subject to accountability under data protection law and must be able to prove at all times that the rules of the GDPR are being observed. How can they do so if they have no idea where the data comes from? They would never be able to comply with a data subject’s access request – let alone ensure that the data is correct in terms of content. Either AZ Direct is deliberately withholding information on the origin of the data, or they have a massive structural problem, which makes their entire business model incompatible with the GDPR. In either case, there is a need for explanation. A made-up legal provision cannot change this.”
Similarly, recipients of the personal data could not be named. As part of the response of a data subject access request the data subject must be told where the data came from and who it has been shared with.
These provisions are designed to allow the data subject—the owner of the personal data—to be able to track:
- Where their data was gathered from
- Why it was collected
- For what purposes it was processed
- What the lawful basis for that processing was
- Who the data has been shared with.
Plainly AZ Direct cannot or will not comply with these GDPR requirements. They are going to have a sorry time in court.
Source: NOYB