ANALYSIS

Germany’s Data Economy: What the Auskunfteien, Address Traders, and Adtech Platforms Know About You

May 2026  ·  10 min read

Privacy Insight Solutions OSINT & Executive Privacy Analysts

Germany ranks near the top of European privacy surveys and hosts one of the continent’s most sophisticated data trading ecosystems. The legal frameworks that produced strong data protection also created structural exceptions that the data industry built its business model around.

What follows maps who holds data about German residents, what legal basis each category relies on, and what rights are available in practice.

The credit bureau layer

Schufa Holding AG, Creditreform, Regis24, Boniversum, and CRIF GmbH are not data brokers in the conventional sense. They are Auskunfteien — credit information agencies operating under a statutory basis that predates GDPR. BDSG §28a and §31 preserve a legacy framework for creditworthiness data (financial behaviour, address history, payment defaults) that ordinary companies cannot invoke. These organisations can collect and share data about individuals on legal grounds unavailable to other data traders.

Schufa’s 2024 revenue was €285.3M. Creditreform, a federation of approximately 130 independent regional companies (Vereine) under a central holding, reports group revenue above €700M.

The CJEU tightened the rules in December 2023. In SCHUFA Holding (C-634/21), the court ruled that automated credit scoring constitutes Article 22 GDPR automated decision-making, requiring human review on request. Schufa subsequently cut the storage period for settled debts from 36 to 18 months, effective January 2025. The ruling has not been fully implemented across Schufa’s processes.

Creditreform’s federated structure warrants specific attention. Each of the ~130 regional Vereine is a separate legal entity and a potential separate data controller. The Vereine collect data from creditors within their postcode territory, but records are accessible across the network. If you have had commercial relationships in multiple regions, records may be distributed across multiple Vereine. A complaint handled by one Land DPA does not reach records held by a Verein in another federal state.

How a transparency app became a scoring asset

In 2016, a Berlin startup launched Bonify with a straightforward consumer premise: Germans could finally see what Schufa knew about them, for free. The app offered open banking integration — users could connect bank accounts voluntarily to get a fuller financial picture.

Schufa acquired Bonify (now Forteil GmbH) in December 2022 for approximately €160M. The open banking data from six million users entered Schufa’s scoring infrastructure.

In February 2024, noyb documented a further development: Schufa now charges users for access to detailed credit data through Bonify’s premium subscription — data those users are entitled to receive once annually for free under Article 15 GDPR. The consumer transparency app became, in sequence, a data collection channel and then a commercial layer placed over a statutory right.

The GfK consumer panel followed a parallel arc. GfK (Gesellschaft für Konsumforschung) ran Germany’s largest household purchase panel under “research consent” — over 100,000 households scanning every purchase at SKU level. When GfK restructured, the German consumer panel was sold separately to YouGov for €315M in January 2024. NielsenIQ’s privacy notice, governing the broader dataset, explicitly states it may sell or share personal data including “demographic characteristics, shopping behaviors and preferences… to data brokers.”

The address and marketing layer

AZ Direct GmbH (a Bertelsmann subsidiary) and Deutsche Post Direkt GmbH describe themselves as “database marketing solutions” and “direct marketing services.” Both compile and sell consumer address and demographic data.

The legal basis for most address trading is Article 6(1)(f) GDPR — legitimate interest. The balancing test required under Article 6(1)(f) is conducted internally by the company holding the data. Companies are not required to publish it. The DSK (the German conference of data protection authorities) has not reached a unified national position: Berlin and Baden-Württemberg take a restrictive view; Bavaria and NRW are permissive. Without a published balancing assessment to challenge, a complaint has no specific document to contest.

microm Micromarketing-Systeme und Consult GmbH operates below the public visibility threshold. A Creditreform subsidiary (HRB 9088, AG Neuss), microm maps every German household to a geodemographic micro-cell at 8-household grid resolution. Each cell carries lifestyle, wealth, and purchase propensity scores that feed into direct marketing and address sales. microm’s filed balance sheet shows approximately €2M — it operates as an intragroup service unit, and its economic contribution flows through Creditreform’s address book operations. There is no public profile and no documented GDPR enforcement.

The adtech layer

Adsquare GmbH (Berlin, €35M revenue) operates a mobile audience data platform with 15,246 segments available on Microsoft Xandr’s marketplace. Segments include “Fragile Seniors,” “Families in Difficulty,” and “Gambling.” The signals behind them include weather app usage and ATM visit patterns, from which Adsquare infers income levels and life situations. Following an on-site inspection, the Berlin DPA found “far-reaching data protection violations” and a fine is under review.

Emetriq GmbH (Deutsche Telekom, Hamburg) mixes Telekom first-party data with third-party signals for programmatic advertising. Published segment labels have included “erotic interests,” “vaccinations,” “pregnancies,” and “IQDX Policy Makers.” Following a 2023 netzpolitik.org investigation, regulators examined the company; no fine has been confirmed.

The ADEX GmbH (formerly ProSiebenSat.1) ran approximately 11,000 audience segments including unemployment status, health conditions listed by name (“Menopause,” “Corona Virus”), weight, and income below €500. Named in the same investigation, it was reviewed by the relevant DPA. Regulatory proceedings were opened but no outcome has been published.

Datarade GmbH (Berlin) operates as a data marketplace, connecting buyers and sellers without itself processing the data. The Berlin DPA concluded that GDPR does not apply to Datarade because it acts as a neutral intermediary — a situation regulators described as a “legal protection gap.” At the time of investigation, the platform listed location data on 11 million German device IDs with 3.6 billion location points available as a free sample. The company received partial funding from the German government’s High-Tech Gründerfonds.

Why enforcement reaches some layers and not others

The Auskunftei statutory carve-out under BDSG §28a and §31 gives credit bureaus a legal basis that ordinary companies cannot invoke and that DPAs have limited authority to challenge directly.

Legitimate interest under Article 6(1)(f) is applied through internal balancing tests that companies are not required to disclose. The DSK’s split between permissive and restrictive Land DPAs means the standard varies by federal state, and a complaint in Bavaria will be assessed differently than one in Berlin.

Creditreform’s regional federation means enforcement against one Verein does not cover the others. Identifying the correct legal entity for a given record requires a prior data access request.

Bertelsmann routes certain processing through Netherlands and Luxembourg entities; CRIF’s parent is Italian (CRIF S.p.A., Bologna). Under GDPR’s one-stop-shop mechanism (Article 56), enforcement for a company whose main EU establishment is in another member state goes to that state’s DPA. A complaint filed with a German DPA against a Bertelsmann entity may be transferred to the Dutch DPA.

The intermediary model, as applied to Datarade, creates a gap for marketplace operators: if the platform does not itself handle personal data, the regulator’s reach stops at the platform boundary.

What you can do

German data protection law gives residents enforceable rights across most of these layers, with the right channel for each.

Schufa

Submit your annual Article 15 request directly at schufa.de — not through Bonify. The free access right covers the full disclosure once per year. Bonify’s premium subscription is a commercial product layered over this statutory right.

Creditreform — consumer credit

For personal credit data, the relevant entity is Creditreform Boniversum GmbH (the B2C arm), not the regional Vereine. Boniversum handles consumer credit reporting for individuals and accepts Article 15 requests directly.

Creditreform — business and director data

If you are a sole trader, freelancer, or director with business credit records, the relevant Verein is the one covering the postcode where your business is or was registered. If you have operated in multiple regions, you may need to contact more than one Verein. A DSAR submitted to the relevant Verein will confirm what is held and allow you to identify any accuracy corrections or erasure grounds.

AZ Direct / Deutsche Post Direkt

Both accept Article 21 GDPR objections to direct marketing processing. An objection under Article 21(2) to direct marketing is absolute — no balancing test applies, and the company must stop. Submit by registered post or email with delivery confirmation.

Adsquare

An opt-out form for mobile device ID-based targeting is available at adsquare.com/privacy.

If you want to know which of these layers holds records about you before submitting removal requests, a Mirror investigation maps your full exposure across B2B data controllers, address traders, and credit bureaus.

Talk to an Analyst

B2B records (microm, Bisnode/D&B, OS Data Solutions)

These companies hold data about individuals in a professional context (director addresses, company affiliations, registered roles). Identifying whether a specific record exists requires a DSAR first; the data will not appear in their public-facing tools. This is the layer where a Mirror investigation applies — mapping which B2B controllers hold records about you before submitting targeted removal requests.

Sources

  • noyb.eu: “German credit agency earns millions through unlawful customer manipulation” (February 2024)
  • noyb.eu: “Data trading between credit agency and address trader illegal”
  • netzpolitik.org: “Databroker Files — die große Datenhändler-Recherche im Überblick” (2024)
  • netzpolitik.org: “Nach unserer Berichterstattung: Datenschutzbehörde findet Verstöße bei Berliner Werbefirma” (Adsquare, 2025)
  • netzpolitik.org: “Wie deutsche Firmen am Geschäft mit unseren Daten verdienen” (2023)
  • BIIA: “SCHUFA Group revenue grows again in 2025”
  • CJEU C-634/21 (SCHUFA Holding, December 2023)
  • YouGov / NielsenIQ transaction filings (January 2024)
  • Handelsblatt: YouGov acquires GfK consumer panel for €315M
  • Northdata: HRB registrations cited above

If this is your situation

If you want long-term removal across the broker ecosystem, the Eraser runs the multi-week purge.

See The Eraser

Share this briefing

If this was useful, sharing it helps others protect themselves. It also helps keep the intelligence briefings free.