CRIF assesses most individuals in Austria; noyb seeks backing for potential lawsuit

June 3, 2025

Supporting Potential Class Action Against CRIF for Credit Scoring in Austria

CRIF, one of Austria’s major credit agencies, holds personal data on millions of Austrian residents to assess their creditworthiness through a scoring system ranging from 250 to 700. This score plays a critical role in determining who can access various services, such as contracts with telecom giants like Magenta and Drei, energy providers like Verbund, and financial institutions like Volksbank Wien. The alarming part is that this evaluation occurs discreetly and behind individuals’ backs, potentially violating GDPR regulations. Nearly every individual in Austria is subject to the implications of CRIF’s scoring system. Consequently, an in-depth investigation into the scientific validity of CRIF’s scoring methodology is imperative, especially considering the potential for launching a class-action lawsuit. Residents of Austria are invited to contribute to this cause by providing essential support.

CRIF operates as a national repository gathering extensive personal information and issuing creditworthiness scores. Nevertheless, most people receive scores based on limited data such as age, gender, and address, raising concerns about the score’s credibility. Initial findings indicate that the scoring heavily leans on the applicant’s address, triggering doubts about its analytical integrity. Notably, CRIF has not disclosed any scholarly findings validating its scoring approach. The apparent lack of transparency in its metrics leads to arbitrary outcomes; for instance, similar addresses might yield substantially different scores. This disparity underscores the fundamental flaws in CRIF’s assessment process, emphasizing the urgency for a thorough inquiry.

Financial institutions, telecom companies, energy providers, and online retailers are among CRIF’s customers receiving data computed through the credit scoring system. Regrettably, the consumers’ awareness of these score-generating mechanisms remains unclear. Recipients of this scoring information often use it to determine contract eligibility or payment terms with clients. Achieving clarity on the extent to which these scores dictate decisions constitutes a pivotal aspect of our investigative initiative. Previously, low scores have resulted in automatic rejections of mobile or energy supply contracts. Additionally, some individuals were denied deferred payments, possibly leading to prepayment prerequisites. The overarching concern revolves around the plausible repercussions of a poor credit score, including elevated loan costs influenced by the rating’s perceived risk.

Max Schrems, the Chair of noyb, voiced reservations about CRIF’s database compilation of nearly all Austrian residents. The data amalgamation culminates in what Schrems refers to as a debatable “score,” disseminated to various enterprises. CRIF’s reliance on limited factors like address, age, and gender in score calculation raises skepticism about its impartiality and adherence to data protection standards.

CRIF’s admission that only a meager 10% of the populace furnishes verifiable payment history data underscores the pervasive dependence on superficial criteria like age, gender, and address for score generation among the majority. More disconcertingly, individuals absent in the database still receive a propensity score, solely hinged on external data. This revelation hints at the arbitrary generation of scores, primarily premised on address-centric patterns. The ensuing implications highlight the imperative for rectification and accountability within CRIF’s scoring framework.

Concerns about the legality of data sourcing by CRIF amplify suspicions surrounding the agency’s practices. Blatant infringements are arguably manifest in CRIF’s aggregation of data, reportedly sourced from AZ Direct, ostensibly intended solely for marketing purposes, as stipulated by the Austrian Commercial Code. This contravention demonstrates a blatant disregard for GDPR regulations, particularly the foundational principle of purpose limitation. CRIF’s commercial transactions raise alarms concerning potential data breaches, emphasizing the exigency for stringent scrutiny and reform.

The implications of CRIF’s controversial scoring procedures necessitate a rigorous evaluation to ascertain their legitimacy and conformity with data privacy mandates. The insidious nature of these practices compels an urgent response, urging collective action to preserve individuals’ rights and rectify prevailing systemic injustices.