Luxembourg, 7 December 2023
PRESS RELEASE No 186/23
The General Data Protection Regulation (GDPR) opposes two data processing practices by credit information agencies
While ‘scoring’ is permitted only under certain conditions, the prolonged retention of information relating to the granting of a discharge from remaining debts is contrary to the GDPR.
A number of members of the public are challenging the refusal of the competent data protection commissioner to take action against certain activities of SCHUFA, a private company providing credit information for clients including banks, before the Administrative Court of Wiesbaden (Germany). Specifically, they are opposed to ‘scoring’ and to the storage of information relating to the granting of a discharge from remaining debts taken from public registers. ‘Scoring’ is a mathematical statistical method used to predict the probability of future behaviour, such as the repayment of a loan. Information relating to the granting of a discharge from remaining debts is kept in the German public insolvency register for six months, while a code of conduct for German credit information agencies stipulates a retention period of three years for their own databases.
The administrative court asks the Court of Justice to clarify the scope of personal data protection as provided for by the General Data Protection Regulation (GDPR)1. As regards ‘scoring’, the Court holds that it must be regarded as an ‘automated individual decision’ prohibited in principle by the GDPR, in so far as SCHUFA’s clients, such as banks, attribute to it a determining role in the granting of credit. According to the Administrative Court of Wiesbaden, this is the case. It is for that court to assess whether the German Federal Law on data protection contains a valid exception to that prohibition in accordance with the GDPR.
If this is the case, it will still have to check whether the general conditions laid down by the GDPR for data processing have been met. As regards information relating to the granting of a discharge from remaining debts, the Court considers that it is contrary to the GDPR for private agencies to keep such data for longer than the public insolvency register. The discharge from remaining debts is intended to allow the data subject to re-enter economic life and is therefore of existential importance to that person.
That information is still used as a negative factor when assessing the solvency of the data subject. In this case, the German legislature has provided for data to be stored for six months. It therefore considers that, at the end of the six months, the rights and interests of the data subject take precedence over those of the public to have access to that information.
In so far as the retention of data is unlawful, as is the case beyond six months, the data subject has the right to have the data deleted and the agency is obliged to delete the data as soon as possible. As regards the parallel storage of such information by SCHUFA for those six months, it is for the Administrative Court to weigh up the interests involved in order to assess its lawfulness. Should it conclude that parallel storage for six months is lawful, the data subject will still have the right to object to the processing of his or her data and the right to have the data erased, unless SCHUFA can demonstrate the existence of overriding legitimate grounds.
Finally, the Court emphasises that national courts must be able to exercise full review over any legally binding decision of a supervisory authority.
NOTE: A reference for a preliminary ruling allows the courts and tribunals of the Member States, in disputes which have been brought before them, to refer questions to the Court of Justice about the interpretation of EU law or the validity of an EU act. The Court of Justice does not decide the dispute itself. It is for the national court or tribunal to dispose of the case in accordance with the Court’s decision, which is similarly binding on other national courts or tribunals before which a similar issue is raised.
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Source – EU Court of Justice – Email