Call now!:

+49 711 410 190 30

  • wpml-ls-flag
  • wpml-ls-flag

Does SCHUFA-Score violate the GDPR?

von

Clemens Pfitzer

The SCHUFA score is feared by some consumers and is used by companies to assess creditworthiness. But does the SCHUFA score possibly violate data protection law? The European Court of Justice has ruled on this.

Several people were refused loans due to their poor SCHUFA score. Those affected then requested SCHUFA to provide information about the personal data stored and to delete the data they considered to be incorrect.

SCHUFA score GDPR Data protection Data protection law Information Deletion

SCHUFA responded with information about the level of its SCHUFA score and explained in broad terms how the score values are calculated. However, SCHUFA refused to disclose the individual pieces of information taken into account in this calculation and their weighting, citing its trade and business secrecy. SCHUFA limits itself to providing information to its contractual partners. The contractual decisions are made by them.

The data subjects then turned to the Hessian State Data Protection Commissioner as the competent supervisory authority to enforce the claims for information and deletion. The Hessian State Data Protection Commissioner rejected this on the grounds that it had not been proven that SCHUFA was not fulfilling its data protection requirements in accordance with the German scoring regulations in the BDSG.

The affected citizens appealed to the Wiesbaden Administrative Court, which referred the matter to the ECJ

SCHUFA and the SCHUFA score

SCHUFA is a private German company that provides information on the creditworthiness of third parties, in particular consumers.

Scoring is a mathematical-statistical procedure that makes it possible to predict the probability of future behavior, such as the repayment of a loan. The assessment is based on the assumption that similar behavior can be predicted by assigning a person to a group of other people with similar characteristics who have behaved in a certain way. At SCHUFA, this is the SCHUFA score.

Certain human characteristics are used for the calculation. This also includes information on the granting of residual debt discharge. While the German public insolvency register only stores this information for six months, credit agencies such as SCHUFA store it in their own databases for three years.

EUGH on the SCHUFA score

In its ruling of 07.12.2023 – Ref. C-634/21 initially stated that such “scoring” should be regarded as an “automated decision in individual cases” prohibited by the GDPR if the score plays a decisive role in the granting of credit.

Insofar as the BDSG provides for regulations that allow this, the administrative court must assess whether these contain a valid exception to this fundamental prohibition in accordance with the GDPR.

However, even if this were the case and scoring were permissible on this basis, the Wiesbaden Administrative Court would have to examine whether the general
requirements for data processing provided for in the GDPR were met.

With regard to the data subject’s right to information, the judges stated that the data subject had a right to information from SCHUFA and that SCHUFA could not simply invoke its business secrecy. In particular, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject must be provided.

With regard to the long storage period of data on the residual debt discharge of affected persons, the Luxembourg judges consider this to be unlawful after 6 months.

The discharge of residual debt granted is intended to enable the person concerned to participate in economic life again and is therefore of existential importance to them. This information would always be considered a negative factor when assessing the creditworthiness of the person concerned. As this information may only be stored in the insolvency register in Germany for 6 months, the interests of the person concerned in the deletion of the information outweigh those of the public in having this information at their disposal.

The Wiesbaden Administrative Court will now have to review the decision of the Hessian State Data Protection Commissioner on the basis of these standards. In this respect, the ECJ emphasizes that the national courts must be able to subject every legally binding decision of a
supervisory authority to a full review of its content.

Conclusion

In future, SCHUFA and other credit agencies will have to make their scoring procedures more transparent and also provide the relevant information to data subjects. Information on residual debt discharge will have to be deleted more quickly. Overall, SCHUFA will have to adapt its SCHUFA score and its handling of it, as the current practice does not meet the requirements of the GDPR.

Our services

External data protection officer

Through our cooperation partner, Obsecom GmbH, we offer external data protection officers for data controllers and processors.

Mehr erfahren

Advice on data protection law

We advise you on all questions of data protection law, e.g. on data protection concepts, data protection declarations, contract design and dealing with data protection authorities.

Mehr erfahren

Advice on online trading platforms

We advise companies on all legal issues relating to trading on online trading platforms such as Amazon, eBay, Zalando, Otto, Kaufland, Etsy and others.

Mehr erfahren

All services

Relevant posts

Generative AI models Opportunities and risks according to the BSI

Misuse of personal data justifies damages

Masterclass for coaches in the Distance Learning Protection Act

Price with or without deposit

No use of the trademark for disposable deposits

Satisfaction guarantee is a real guarantee

Do you have any questions?

We are happy to help you.

Contact