Data Controller (entity responsible for reporting to SCHUFA) – Court Ruling (Germany, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The controller, a major private bank, failed to properly report a data subject's loan settlement to SCHUFA. Despite the data subject making regular payments, the controller’s automated system did not record them correctly, resulting in inaccurate reports being sent to SCHUFA. Following a complaint, the DPA issued a reprimand against the controller for violating Article 5(1)(d) GDPR, which mandates accurate data processing. The controller argued that the violation occurred before the GDPR came into effect, thus it should not apply. Even if the GDPR were to be applicable, the controller contended that it had taken appropriate corrective actions and that it should not be held accountable for the errors in the automated system. The controller seeks to have the warning lifted by the Administrative Court of Düsseldorf (VG Dusseldorf). The DPA maintains that the controller’s failure to ensure accurate reporting violates the GDPR. The court held that the DPA’s reprimand against the controller was justified. It found that the controller failed to ensure the accuracy of the personal data transmitted to SCHUFA, as required by the GDPR. The court emphasized that under Article 5(1)(d) GDPR, personal data must be accurate and kept up to date. The controller continued to report inaccurate balance information to SCHUFA after the debt was settled in February 2018, violating the principle of data accuracy also after the GDPR came into effect. The court noted that while the controller may have processed the data with a legitimate interest, the failure to correct inaccuracies in the data subject’s data within a reasonable time violated the principle of data accuracy. The controller did not demonstrate sufficient efforts to correct or delete the incorrect data after the debt was settled, which violated the accountability principle as laid out in Article 5(2) GDPR as well. While the DPA could have imposed a fine under Article 83 GDPR, the court found that the DPA’s decision to issue a
GDPR Articles Cited
The controller, a major private bank, failed to properly report a data subject's loan settlement to SCHUFA. Despite the data subject making regular payments, the controller’s automated system did not record them correctly, resulting in inaccurate reports being sent to SCHUFA. Following a complaint, the DPA issued a reprimand against the controller for violating Article 5(1)(d) GDPR, which mandates accurate data processing. The controller argued that the violation occurred before the GDPR came into effect, thus it should not apply. Even if the GDPR were to be applicable, the controller contended that it had taken appropriate corrective actions and that it should not be held accountable for the errors in the automated system. The controller seeks to have the warning lifted by the Administrative Court of Düsseldorf (VG Dusseldorf). The DPA maintains that the controller’s failure to ensure accurate reporting violates the GDPR. The court held that the DPA’s reprimand against the controller was justified. It found that the controller failed to ensure the accuracy of the personal data transmitted to SCHUFA, as required by the GDPR. The court emphasized that under Article 5(1)(d) GDPR, personal data must be accurate and kept up to date. The controller continued to report inaccurate balance information to SCHUFA after the debt was settled in February 2018, violating the principle of data accuracy also after the GDPR came into effect. The court noted that while the controller may have processed the data with a legitimate interest, the failure to correct inaccuracies in the data subject’s data within a reasonable time violated the principle of data accuracy. The controller did not demonstrate sufficient efforts to correct or delete the incorrect data after the debt was settled, which violated the accountability principle as laid out in Article 5(2) GDPR as well. While the DPA could have imposed a fine under Article 83 GDPR, the court found that the DPA’s decision to issue a
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Data Controller (entity responsible for reporting to SCHUFA) in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Data Controller (entity responsible for reporting to SCHUFA) - Germany (2025). Retrieved from cookiefines.eu
Last updated: