Schufa – CJEU Judgment (Germany, 2023)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
The Court of Justice ruled that a credit score provided by Schufa does not count as a decision under GDPR when a bank uses it to deny a loan. This ruling is significant because it clarifies how credit scores are treated under data protection laws. Companies that provide credit information should be clear about how their data affects users' financial decisions.
What happened
A person was denied a loan based on a negative credit score from Schufa, which they challenged for lack of transparency.
Who was affected
The individual who was denied a loan due to their credit score from Schufa.
What the authority found
The Court held that a credit score is not considered a decision under GDPR, meaning Schufa's processing was compliant.
Why this matters
This decision sets a precedent for how credit scores are viewed in relation to data protection laws. It highlights the need for credit agencies to be transparent about their scoring processes.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
A data subject was refused a loan after Schufa (the controller) had provided the data subject’s bank with a negative credit score. Schufa is a credit agency which provides third parties with information relating to individuals’ creditworthiness. The data subject requested Schufa to provide them with information relating to the data stored and to erase incorrect entries relating to them. As well as, to provide them with a detailed account of the logic involved in the determination of their credit score, and the significance and consequences of the processing of their data. Schufa responded by only providing the applicant with their credit score and a vague outline of its credit-score calculation process, noting that they were unable to disclose a detailed account of the calculation process as this would violate commercial secrecy. Moreover, Schufa noted that it only provided third parties with information which they used to reach decisions, while Schufa itself was not the party to determine the decisions. Following this, on 18 October 2018, the data subject filed a complaint against Schufa with the Hessian Commissioner for Data Protection (‘HBDI’), requesting that they order Schufa to disclose the logic involved in the determination of their credit score, and the significance and consequences of the processing of their data. On 3 June 2020, the HBDI dismissed the complaint, holding that Schufa’s processing was compliant with domestic law.[https://dejure.org/gesetze/BDSG/31.html §31 of the Bundesdatenschutzgesetz]. The data subject then appealed to the Administrative Court of Wiesbaden, under Article 78(1) GDPR. The Court stayed the proceedings and referred two questions to the CJEU. Only the first question is of relevance, as the CJEU did not consider the second. # Is a credit score issued by one party a decision for the purposes of Article 22(1) GDPR, where a third party draws strongly on that credit score to reach a decision? The Court held that a credit sco
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (0)
No other cases found for Schufa in DE
This is the only recorded case for this entity in this jurisdiction.
Details
Judgment Date
7 December 2023
Authority
Court of Justice of the European Union
GDPRhub ID
gdprhub-cjeu-6824About this data
Cite as: Cookie Fines. Schufa - Germany (2023). Retrieved from cookiefines.eu
Last updated: