Data from KPN customers and many other Dutch companies is resold through data traders. This happens without actively informing these customers. Following revelations about this by RTL News KPN has announced that it will restrict that trade.
Companies such as KPN and other telecom providers, but also energy companies, have the creditworthiness of customers checked by external agencies. The information that customers provide, such as names, addresses and ages, is shared with these ‘credit reference agencies’ for this purpose.
Collection agencies
Research by RTL shows that credit reporting agencies then store that information and combine it with information from other sources to create ‘profiles’ of people. They then sell them to other customers. These are often security companies and debt collection agencies, which can search the credit reference agencies’ databases.
This storage and combination is not allowed without people giving explicit permission, privacy experts tell RTL. “We don’t think this is right,” says Gerard Spierenburg of the Consumers’ Association. According to the General Data Protection Regulation (GDPR), people are in charge of their own data, he explains. They must also be able to withdraw permission for its use. That won’t work if you don’t know where your data is and who sells it to whom.
Also read
A small debt can have major consequences, ‘just figure it out with your mortgage, we heard’
According to the Consumers’ Association, whether the trade is also punishable is “up to the supervisory authority or the judge”. KPN says it has asked the credit reference agencies to no longer sell the personal data. Supervisory Authority for Personal Data was not available for questions.
Three credit information agencies in the Netherlands are united in the trade association VvKi. These are Experian, Focum and EDR. In a long, written statement, the industry association rejects the accusations: combining data would not be against the rules.
According to the association, citizens are indeed informed about the use of their data, although the statement does not make it clear how this happens and who is responsible for this. According to the VvKi, this would be included in the privacy statements on the websites of both the credit information agencies and their customers. Those who agree to this and to a test of their creditworthiness then give indirect consent.
Such a test is now a standard part when you take out a subscription or buy something on installment. For example, online stores carry this out before sending a product that has not yet been paid for. Together, this concerns data from millions of Dutch people.
Many different indicators are used to assess people’s creditworthiness. Things regularly go wrong, the Consumers’ Association has noticed. “For example, people run into problems if they want to take out insurance or a mortgage if they live in a certain postal code area,” says a spokesperson. “That is based on algorithms. That method is not quite the same as continuously enriching databases, but it is related.”
RTL further revealed that the address details of people who have police protection because they are being threatened can be found through the databases of the credit reference agencies. One of them is Telegraaf journalist John van den Heuvel. He reacted shocked to RTL and said he was considering a lawsuit.