Data Controller (entity responsible for reporting to SCHUFA) – Court Ruling (Germany, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A major private bank in Germany failed to report a customer's loan settlement accurately to SCHUFA, leading to incorrect credit information. The court upheld a reprimand from the data protection authority, stressing the need for accurate data processing. This case shows that companies must ensure their systems report data correctly.
What happened
The bank did not accurately report a customer's loan payments to SCHUFA due to errors in its automated system.
Who was affected
The affected person was a customer of the bank whose loan settlement was reported incorrectly.
What the authority found
The court ruled that the bank violated GDPR by failing to ensure the accuracy of the personal data sent to SCHUFA.
Why this matters
This ruling highlights the importance of accurate data reporting for businesses. Companies must regularly check their data systems to avoid misleading information that can harm customers.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The controller, a major private bank, failed to properly report a data subject's loan settlement to SCHUFA. Despite the data subject making regular payments, the controller’s automated system did not record them correctly, resulting in inaccurate reports being sent to SCHUFA. Following a complaint, the DPA issued a reprimand against the controller for violating Article 5(1)(d) GDPR, which mandates accurate data processing. The controller argued that the violation occurred before the GDPR came into effect, thus it should not apply. Even if the GDPR were to be applicable, the controller contended that it had taken appropriate corrective actions and that it should not be held accountable for the errors in the automated system. The controller seeks to have the warning lifted by the Administrative Court of Düsseldorf (VG Dusseldorf). The DPA maintains that the controller’s failure to ensure accurate reporting violates the GDPR. The court held that the DPA’s reprimand against the controller was justified. It found that the controller failed to ensure the accuracy of the personal data transmitted to SCHUFA, as required by the GDPR. The court emphasized that under Article 5(1)(d) GDPR, personal data must be accurate and kept up to date. The controller continued to report inaccurate balance information to SCHUFA after the debt was settled in February 2018, violating the principle of data accuracy also after the GDPR came into effect. The court noted that while the controller may have processed the data with a legitimate interest, the failure to correct inaccuracies in the data subject’s data within a reasonable time violated the principle of data accuracy. The controller did not demonstrate sufficient efforts to correct or delete the incorrect data after the debt was settled, which violated the accountability principle as laid out in Article 5(2) GDPR as well. While the DPA could have imposed a fine under Article 83 GDPR, the court found that the DPA’s decision to issue a
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Data Controller (entity responsible for reporting to SCHUFA) in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Data Controller (entity responsible for reporting to SCHUFA) - Germany (2025). Retrieved from cookiefines.eu
Last updated: