SCHUFA Holding AG – Court Ruling (Germany, 2024)

The data subject and the controller entered into a telecommunications contract beginning on the 24.08.2020. Subsequently, the data subject was notified that his personal data was shared with [https://www.schufa.de/ SCHUFA Holding AG], a credit rating agency. On the 25.08.2020, the controller notified SCHUFA of the conclusion of the contract and transferred various information regarding the contractual relationship with the data subject. In August 2023, SCHUFA provided the data subject with a copy of his recorded personal data which included the information on the telecommunications contract. In September 2023, the data subject contacted the controller claiming immaterial damages under Article 82(1) GDPR. In October 2023, SCHUFA announced that they would begin to delete personal data connected with telecommunications contracts. Also in October 2023, the data subject filed a lawsuit regarding the claimed immaterial damages and argued that he suffered from the transmission of data from the controller to SCHUFA. He claimed that the transmission was unlawful and could not be justified on a legal basis as per Article 6(1)(a), (b) and (f) GDPR. He elaborated that upon reception of the information by SCHUFA he felt loss of control and great worry regarding his creditworthiness. He further claimed entitlement to injunctive relief under Article 6(1) and Article 17 GDPR. The controller claimed that there had been no violation of the GDPR as the transmission of data protects consumers from overindebtedness, enables more precise prognosis of risk of default and ensures the functionality of credit rating agencies which are essential for economic trade. The controller argued that the data subject had suffered no damage and that his reactions were engineered and far-fetched. It based this argument on the fact that each citizen usually has several telecommunications contracts so the disclosure of this information in no way sets him apart from others. Therefore, the transfer of