5. Key findings 5.1 Findings of non-compliance Our investigation revealed systemic compliance failings at each of the CRAs. Our key thematic concerns were consistent across all three, although there were material differences at each organisation. Many of these concerns have been proactively resolved by the CRAs after we informed them that these were serious enough to warrant enforcement action. In some cases, one or more of the CRAs chose to cease the relevant processing entirely.
5.2 Transparent processing Transparency is a key requirement of the GDPR. As part of this, individuals have the right to be informed about the collection and use of their personal data. This applies regardless of whether the personal data is obtained directly from the individual or from other sources. Organisations must be as transparent as possible about the personal data they are using, where they have obtained it from and the ways they will use it. They must be clear and upfront, explaining what they are doing in a way that individuals can readily understand. Our investigation found that the CRAs did provide some privacy information on their websites about their data broking activities, and links to this information were given by the organisations that supplied data to them. However, this information was not clear because it was not sufficiently prominent, it did not sufficiently explain how the data was collected, what sources were used, how it was processed, or how it was sold. Key finding 1 The privacy information of the CRAs did not clearly explain their processing with respect to their marketing services. CRAs have to revise and improve their privacy information.
27
