Schufa Holding AG – Court Ruling (Germany, 2021)

The controller is the Schufa Holding AG, a German credit rating agency. The data subject went into private insolvency after a failed business start-up. The insolvency proceedings were concluded and he was discharged from residual debt. This was published - as provided for under national law - on the online insolvency notice portal (www.insolvenzbekanntmachungen.de). § 3(1) of the German Insolvency Notification Regulation (InsoBekV) provides that such publications must be deleted no later than six months after the discontinuation of the insolvency proceedings has become unappealable. The respective entry on the data subject was deleted during this period. The controller included the information on the discharge of residual debt in its database at the time of its publication on www.insolvenzbekanntmachungen.de. However, it continued to store the information in its database after it was deleted from the aforementioned register and processed it for credit assessment purposes. The controller is a member of an association of German credit agencies. This association has given itself rules of conduct according to which the information about the discharge of residual debt is to be deleted after 3 years. The data subject received (after deletion on www.insolvenzbekanntmachungen.de) a rejection for a flat enquiry because of his bad credit rating. An action by the data subject for deletion of the entry on residual debt discharge was dismissed at first instance. The data subject appealed against this decision to the Schleswig-Holstein Higher Regional Court (OLG Schleswig-Holstein). The court ruled that the data subject was entitled to erasure under Article 17(1)(d) GDPR, as the data processing was not lawful. In any case, the requirements of Article 6 GDPR were no longer met 6 months after the discharge of residual debt had become unappealable. = The court first states that the processing cannot be based on Article 6(1)(e) GDPR. For this to be the case, the processing must be