exclusive
A Munich company collects data from millions of cell phone users. As with Schufa’s similar approach, the legal basis is questionable. The responsible supervisory authority investigates, the credit agency defends itself.
It is a huge collection of data that has now brought the supervisory authorities into action. A competitor of Schufa, the Munich credit reporting agency CRIF, stores data according to research by NDR and “Süddeutscher Zeitung” (SZ) have been collecting the contract data of millions of mobile phone customers from Telekom, Vodafone and Freenet for years – without their consent and apparently without having done anything wrong.
A spokeswoman for the Bavarian State Office for Data Protection, which is responsible for CRIF, confirmed this NDR and SZ that the authority is conducting proceedings regarding the “processing of contract data transmitted without cause by mobile phone companies”.
Consumer advocates had repeatedly expressed fears that the storage of the contract data of innocent customers was not transparent and that it could also be used to the detriment of those affected. In the case of the credit agency CRIF, among other things, the customers’ bank details, their email addresses, and the start and end of their contract are transmitted.
Data protection officers banned a similar data pool for electricity contracts three years ago. Such contract data can also be used to determine which customers are particularly price-conscious and therefore willing to change. Consumer advocates found that companies could then disadvantage such people by not offering them any or only expensive contracts.
Schufa also collects user data
It is not the first time that mobile phone companies have had a dispute with data protection officers. Several of the large companies had already come under criticism because they had similarly transmitted their customers’ data to Germany’s largest credit agency, Schufa, without being asked and for years, which was then used to determine creditworthiness.
However, according to the responsible data protection officers, such information may only be passed on to credit agencies such as Schufa and CRIF if a customer has not paid their bill or has attempted to cheat. The state and federal supervisory authorities gathered in the so-called Data Protection Conference (DSK) had already clearly stated this in a resolution two years ago. However, numerous mobile phone providers largely ignored the data protection officers’ decision.
Providers believe they are in the right
The background is a dispute that has been simmering for years – between data protection officers on the one hand and credit reporting agencies and telecommunications companies on the other. The data protection officers say to credit agencies and Telekom & Co.: You cannot simply set up a central register of all mobile phone customers from which every company can then use.
The mobile phone providers and the credit agencies counter this: Such data pools only serve to prevent fraud; after all, fraud is a big problem in the mobile phone sector. The dispute eventually went to court.
First judgments against data collection
The first court rulings have now proven the data protection officers right. That’s how it was Munich Regional Court ruled in April of this yearthat the mobile phone provider Telefónica O2 should not have transmitted a customer’s contract data to Schufa without their consent. The O2 customer had sued with the support of the North Rhine-Westphalia Consumer Center.
The ruling is not yet final, and yet consumer law firms are already feeling encouraged to launch a wave of lawsuits. Recently, two Cologne law firms announced that they would take large-scale action against the mobile phone companies on behalf of cell phone customers because they had illegally passed on data to Schufa. The first lawsuits were filed in court at the end of September, and thousands more are expected to follow.
Another company stores customer data
So now the CRIF case: The Munich company, like other competitors, is in the shadow of Schufa, by far the best-known credit reporting agency in the country, over its activities NDR and SZ have repeatedly reported.
CRIF was apparently able to build up a data pool largely unnoticed for a long time, which is only now being examined in more detail. Under the name “Telco Information Platform” (TIP), CRIF stores numerous information about Telekom, Vodafone and Freenet customers.
In such cases we are talking about “positive data”, a term that consumer advocates consider to be misleading. “Positive data” is only information that basically contains nothing negative, such as unpaid bills or even fraud.
However, it is completely unclear whether such actually neutral data will ultimately have a positive impact on consumers. In any case, according to CRIF’s data protection information, this data is also used for credit scoring, i.e. determining the creditworthiness of customers.
“Only on Fraud prevention tailored”
CRIF said in a written statement NDR and SZ, the TIP platform is a “closed industry pool” from which a mobile phone company can only access data if it has previously transmitted that of its own customers – a model that is based on reciprocity.
The pool is also “tailored only to avoid fraud.” With the help of the data reported by the mobile phone companies, fraud can be detected in advance, for example if someone gives a false age, provides false information about their identity or their ability to pay
A “mini Schufa”?
But the responsible data protection officers are apparently not convinced by this explanation. Industry experts even say that CRIF has secretly set up a kind of “mini-Schufa” for telecom companies with the data pool – an accusation that a CRIF spokesman expressly did not want to comment on.
But the mobile phone providers involved also see themselves as being in the right. There is “no excessive interference with personal rights,” said a Telekom spokesman. Here too is the argument that CRIF already put forward: the “positive data” transmitted to the Munich credit agency would be “used exclusively to prevent fraud”. A Vodafone spokesman made a similar statement: “This positive data was passed on primarily to protect against fraud and data misuse by third parties.”
Data protection officers see a violation
However, this is inadmissible, according to data protection authority circles. It is clear from the DSK decision of 2021 that supposed fraud prevention is not a reason to pass on contract data to Schufa & Co. without the consent of those affected.
A spokeswoman for the mobile phone provider Freenet, which is also involved in the CRIF data pool, nevertheless takes a clear stance against the authorities. There is “no legally binding decision according to which the transfer of inventory data to such a data pool is unlawful.”
The European General Data Protection Regulation (GDPR) certainly stipulates that data can be stored to prevent fraud. “In view of this, the DSK’s point of view, which we are familiar with, is incomprehensible to us, represents only a legal opinion on this complex and, in our opinion, cannot withstand the pending judicial review.”
There is a risk of further lawsuits
Nevertheless, the mobile phone providers could now face further trouble – after the lawsuits about the transfer of such contract data to CRIF’s competitor Schufa. Because the Cologne consumer law firms that are suing Telekom, Vodafone & Co. regarding Schufa could soon also set their sights on CRIF .
According to information from, it is unclear when the investigation will be carried out by the Bavarian data protection supervisory authority NDR and SZ still open. It is not impossible that courts will ultimately have to decide in this case too.