Companies can no longer rely solely on Schufa's creditworthiness assessments to determine whether to do business with a customer, according to a ruling by the European Court of Justice in Luxembourg. The Court declared that Schufa's credit scoring falls under the General Data Protection Regulation (GDPR) and can only be used under specific conditions.
Banks, telecommunications companies, and energy suppliers often request information about a person's creditworthiness from credit agencies like Schufa. Schufa then provides an assessment, known as the score value, which indicates how well the individual meets their payment obligations.
The ECJ's decision stems from a case in Germany, where a person who had been denied a loan asked Schufa to delete an entry and grant them access to their data. Schufa provided the person with their score value and general information on the calculation, but not the exact calculation method.
After hearing the case, the Wiesbaden Administrative Court referred it to the ECJ to clarify the relationship between the GDPR and creditworthiness assessments. The GDPR states that significant decisions may not be made solely based on automated data processing.
Schufa welcomed the ruling, as it provides clarity on how scores can be used in the decision-making processes of companies in accordance with the GDPR. Schufa stated that payment forecasts in the form of their score are important to their customers, but are generally not the only decisive factor in doing business with them.
Additional Insights
The GDPR's provisions on credit scoring have significant implications for companies in Europe, particularly in Germany. Here are some key points:
- Automated Decision-Making: Credit scoring, including Schufa scores, constitutes automated decision-making, which is prohibited under Article 22 of the GDPR unless certain conditions are met. Companies must ensure that their use of Schufa scores does not produce a legal or similarly significant effect without human intervention or oversight.
- Data Protection: The GDPR emphasizes the need for transparency and fairness in the processing of personal data. Companies must provide clear information about how they use credit scores and ensure that individuals have the right to access and correct their data. Consumers have the right to receive a free copy of all data held by credit bureaus once a year, which includes their Schufa records.
- Non-Material Damage: The ECJ has clarified the concept of non-material damage under Article 82 of the GDPR. This means that individuals can claim compensation for any distress or inconvenience caused by the misuse of their personal data, including the use of Schufa scores without proper justification.
- Guidelines and Compliance: The European Data Protection Board (EDPB) has published guidelines on the technical scope of Article 5(3) of the ePrivacy Directive, which further outlines the requirements for data protection in the context of credit scoring. Companies must comply with these guidelines to ensure that their use of Schufa scores is lawful and transparent.
In summary, the GDPR requires European companies to use Schufa scores in a manner that respects individuals' rights to data protection, transparency, and fairness. This includes ensuring that automated decision-making processes are transparent and subject to human oversight, providing clear information about data usage, and allowing individuals to access and correct their personal data.
