Two SCHUFA practices violate the GDPR

While "scoring" is only permissible under certain conditions, the longer storage of information on the granting of a discharge of residual debt is contrary to the GDPR.

Several citizens challenged decisions by the competent data protection officer before the Wiesbaden Administrative Court, refusing to take action against certain activities of SCHUFA, a private credit agency whose clients include banks in particular. Specifically, they objected to "scoring" and the storage of information taken from public registers on the granting of residual debt discharge.

Scoring is a mathematical-statistical procedure that makes it possible to predict the probability of future behavior, such as the repayment of a loan. The information on the granting of a discharge of residual debt is stored in the German public insolvency register for six months, while the rules of conduct of the German credit agencies provide for a storage period of three years for their own databases. The Administrative Court asks the Court of Justice to explain in more detail the scope of the protection of personal data as provided for by the General Data Protection Regulation (GDPR).

The Court rules that "scoring " is to be regarded as an "automated decision in individual cases" prohibited by the GDPR , provided that SCHUFA's customers, such as banks, attach a decisive role to it in the context of granting credit. In the opinion of the Wiesbaden Administrative Court, this is the case. It is up to this court to assess whether the German Federal Data Protection Act contains a valid exception to this prohibition in accordance with the GDPR. If this is the case, the court will also have to examine whether the general requirements for data processing set out in the GDPR are met.

With regard to information on the granting of a discharge of residual debt, the Court ruled that it is contrary to the GDPR for private credit agencies to store such data for longer than the public insolvency register. The residual debt discharge granted is intended to enable the person concerned to participate in economic life again and is therefore of existential importance to them. This information is always used as a negative factor when assessing the creditworthiness of the person concerned. In the present case, the German legislator has provided for the data to be stored for six months. It therefore assumes that, after the six months, the rights and interests of the data subject outweigh those of the public to have this information.

If the storage of the data is not lawful, as is the case after the six months, the data subject has the right to erasure of this data and the credit reference agency is obliged to erase it immediately.

As regards the parallel storage of such information by SCHUFA during those six months, it is for the referring court to weigh up the interests at stake in order to assess the lawfulness of that storage. If it comes to the conclusion that the parallel storage during the six months is lawful, the data subject nevertheless has the right to object to the processing of his data and the right to have it erased, unless SCHUFA proves the existence of compelling legitimate grounds.

Finally, the Court emphasizes that national courts must be able to subject any legally binding decision of a supervisory authority to a full substantive review.

Judgments of the Court of Justice in Case C-634/21|SCHUFA Holding (scoring) and in Joined Cases C-26/22 and C-64/22| SCHUFA Holding (discharge of residual debt)

Source: ECJ press release no. 186/23 of 07.12.2023