Submission to the ECJ: does Schufa adhere to data protection?

So-called score values ​​often play a decisive role for consumers when granting credit - the Wiesbaden Administrative Court now wants the European Court of Justice (ECJ) in Luxembourg to clarify to what extent the creation of score values ​​by the private credit agency Schufa is subject to the European General Data Protection Regulation (GDPR ) falls.

As the court announced on Monday, the sixth chamber of the administrative court decided at the beginning of October to submit two questions to the ECJ (Ref .: 6 K 788 / 20.WI)

The background to this is proceedings before the administrative court.

According to the court, the plaintiff wants to delete entries with the Schufa, which in its opinion are incorrect, and have information about the data stored there.

The plaintiff had therefore turned to the Hessian commissioner for data protection, but he argued that when calculating the creditworthiness value, the Schufa "usually meets" the requirements set out in the Federal Data Protection Act and in the present case there are no indications that this is not the case .

Focus on the activity of a credit agency

The Wiesbaden Administrative Court now wants to be clarified by the European Court of Justice, on the one hand, as to whether the activity of credit agencies to create score values ​​and to transmit these "without further recommendation or remarks to third parties" such as banks, for example, falls under Article 22 of the GDPR.

This states that data subjects may not be subjected to decisions that are "based solely on automated processing";

However, exceptions are also provided, for example in the case of "express consent".

If the creation of score values ​​falls under the corresponding GDPR article, “this activity, which is decisive for credit reporting agencies, is covered by the ban on automated individual decision-making,” continued the administrative court.

As a justification, the Wiesbaden court explained that the creation of score values ​​does not merely prepare the decision of a bank, for example, but is an independent "decision" in the sense of the corresponding GDPR article.

There are “weighty indications” for this.

In any case, the third party responsible could make a purely hypothetical decision “about whether and how to conclude a contract with the person concerned”, but this decision is “practically but to a considerable extent determined by the score value transmitted by credit agencies”.

Refusal of Credit

An inadequate score in the consumer loan sector will in almost every case "lead to the refusal of a loan", but the GDPR is intended to protect against the dangers of "this form of decision based purely on automation", explained the administrative court. If the ECJ answers in the negative to the first question, the European Court of Justice should also examine whether the GDPR regulations of the Federal Data Protection Act on scoring and credit reports conflict.

As a private credit agency, Schufa provides contractual partners with information on the creditworthiness of third parties and, for this purpose, creates the score values ​​on the basis of mathematical-statistical procedures.

These should then reflect the probability of a future loan default, for example.

The Schufa does not disclose the exact calculation method and relies on business secrets.

The Federal Court of Justice (BGH) found this to be permissible in 2014.