The Court of Justice of the European Union has issued its judgment in Case C-634/21|SCHUFA Holding (Scoring) and in Joined Cases C-26/22 and C-64/22|SCHUFA Holding (Discharge from remaining debts).
Some individuals challenged the refusal of the competent data protection commissioner to take action against certain activities of SCHUFA. SCHUFA is a private company providing credit information for clients including banks. In particular the individuals challenged the practice of “scoring” as well as the storage of information relating to the granting of a discharge from remaining debts taken from public registers.
“Scoring” is a mathematical statistical method used to predict the probability of future behaviour, such as the repayment of a loan. Information relating to the granting of a discharge from remaining debts is kept in the German public insolvency register for six months, while a code of conduct for German credit information agencies stipulates a retention period of three years for their own databases.
The German courts asked the CJEU to clarify the scope of personal data protection provided for by the GDPR.
The Court holds that “scoring” must be regarded as an “automated individual decision” prohibited in principle by the GDPR, to the extent that SCHUFA’s clients attribute to it a determining role in the granting of credit. The German courts said this was the case. The CJEU said that it was for the German courts to assess if the German Federal Law on data protection contains a valid exception to that prohibition in accordance with the GDPR. If this is the case, it will still have to check whether the general conditions in the GDPR for data processing have been met.
As regards information relating to the granting of a discharge from remaining debts, the Court considers that it is contrary to the GDPR for private agencies to keep such data for longer than the public insolvency register.
The discharge from remaining debts is intended to allow the data subject to re-enter economic life and so is very important to that person. It is still used as a negative factor when assessing the solvency of the data subject. In this case, the German legislature has provided for data to be stored for six months. It therefore considers that, at the end of the six months, the rights and interests of the data subject take precedence over those of the public to have access to that information.
To the extent that the retention of data is unlawful, as is the case beyond six months, the data subject has the right to have the data deleted and the agency must delete the data as soon as possible.
As regards the parallel storage of such information by SCHUFA for those six months, it is for the Administrative Court to weigh up the interests involved to assess its lawfulness. If it concludes that parallel storage for six months is lawful, the data subject will still have the right to object to the processing of his or her data and have the right to have the data erased, unless SCHUFA can demonstrate that there are overriding legitimate grounds.
Finally, the Court emphasised that national courts must be able to exercise full review over any legally binding decision of a supervisory authority.
https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62022CJ0026
https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62022CJ0026
https://curia.europa.eu/juris/document/document.jsf?text=&docid=280428&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=452055