Schufa's data protection breach?
Key findings
Schufa's handling of personal data and the legality of the "score value" are under the microscope of the European Court of Justice. If the ECJ confirms concerns, it could mean far-reaching changes for credit agencies and your financial transactions.
Whether it's for future landlords, when signing a mobile phone contract, leasing a car, or making other instalment payments - there are many cases in which a Schufa report can be requested from you. Schufa is one of the largest credit agencies in Germany and collects and manages information about the creditworthiness of consumers. This information is provided by banks and other financial institutions and can then be used to assess your creditworthiness. However, Schufa does not only store negative information, such as payment defaults or overdue bills but also positive information such as regular payments and existing credit.
However, there are concerns about the legality of this practice in data protection. The European Court of Justice (ECJ) is currently discussing the compliance of the Schufa system with the data protection provisions of the EU General Data Protection Regulation (GDPR). In particular, it is about the processing of personal data and the rights of consumers, as the Administrative Court of Wiesbaden doubts the legality of Schufa's handling of this data.
The "score value" of Schufa
On the one hand, it is debated whether the calculation and use of the so-called "score value" is legal at all. Article 22 (1) of the GDPR states that data subjects have the right not to be subject to automated decisions that have an impact on their legal relationship or their essential interests. So if decisions are made based on automated processing of your personal data, this is prohibited in the vast majority of cases.
Since the calculation of the "score value" by Schufa is such an automated decision according to the Wiesbaden Administrative Court, the case is now being examined by the ECJ. If Article 22 (1) of the GDPR does not apply, it will also be examined whether Germany's Federal Data Protection Act (BDSG) in particular complies with the regulation by the GDPR. This is because the Administrative Court of Wiesbaden doubts that Section 31 of the BDSG is compatible with Article 22(1) of the GDPR, which has just been mentioned. If the ECJ were to come to the same conclusion, this would mean that Schufa would have no legal basis for its procedure and the calculation and use of the "score value".
Furthermore, the ECJ is to examine whether the type of data stored and the storage period of this data by Schufa is lawful. Since Schufa is a private credit agency, it is questionable whether it may store information from public registers. In any case, the same storage and deletion periods would have to apply as in public registers, i.e. the information would have to be deleted after six months in accordance with Article 17 (1) of the GDPR. Currently, however, Schufa stores this data for three years in order to be able to determine the "score value", even if it is retrograde.
What can happen?
It remains to be seen how Schufa will react to this decision. If the ECJ agrees with the concerns of the Wiesbaden Administrative Court, credit agencies will have to change their entire practices. It is also possible that Schufa will appeal the decision and continue to adhere to its current system. The discussion shows once again that data protection law is an important part of our society and that it is increasingly important to ensure that we are adequately protected, especially with regard to our personal data.
More info can be found here.
