SCHUFA – Court Ruling (Germany, 2025)

The controller, SCHUFA Holding AG, operates a credit information agency that collects and stores information on payment defaults reported by its contractual partners for the purpose of assessing consumers’ creditworthiness. The data subject had three undisputed payment defaults recorded by SCHUFA. Each claim had been fully settled between December 2020 and December 2022. Despite settlement, SCHUFA continued to store the corresponding entries and made them available to its clients for credit assessments. Over the course of the proceedings, SCHUFA progressively deleted the entries, relying in part on codes of conduct under Article 40 GDPR approved by the Hessian DPA, which provide for deletion after three years, or after 18 months under specific conditions. The data subject sought deletion of the entries, compensation for non-material damage under Article 82 GDPR, and reimbursement of pre-trial legal costs. After the deletion claims were declared settled, the Cologne Higher Regional Court awarded the data subject €500 in non-material damages, holding that continued storage after settlement was unlawful. The court reasoned that, following the CJEU’s judgment in SCHUFA Holding (C-26/22 and C-64/22), private credit agencies could not store data longer than comparable entries in the public debtor register, which must be deleted immediately upon proof of full satisfaction of the claim. SCHUFA appealed the decision to the Federal Court of Justice. The Federal Court of Justice upheld the appeal. The Court confirmed that credit information agencies pursue legitimate interests within the meaning of Article 6(1)(f) GDPR, both in their own economic interest and in the interest of their customers, such as lenders seeking reliable creditworthiness assessments. It emphasised that credit reporting serves recognised economic and consumer-protection functions and may, in principle, justify the processing of data on payment defaults. However, the Court held that the Court of Appeal w