Newsletters
On 7 December 2023, the Court of Justice of the European Union (hereinafter referred to as the "CJEU") published two judgments: (i) in case C-634/21 (SCHUFA Holding) and (ii) in joined cases C-26/22 and C-64/22 (SCHUFA Holding).
These judgments were delivered following applications by several citizens to the Administrative Court of Wiesbaden, Germany, based on the refusal of the competent Data Protection Commissioner[1] to take concrete action against activities carried out by SCHUFA Holding AG (hereinafter referred to as "SCHUFA").
SCHUFA is a private company under German law that provides its contractual partners with information on credit and creditworthiness.
This company assesses the likelihood of a particular natural/legal person’s future behaviour (“score”) - such as honouring/paying off a loan – on the basis of a comparative profile based on mathematical and statistical criteria. Scoring is determined on the assumption that the classification of a person in a certain category with identical characteristics makes it possible to predict future behaviour.
SCHUFA also keeps commercial information from public registers for a period of three (3) years, in accordance with the code of conduct drawn up in Germany by the association of companies providing commercial information, a period approved by the competent supervisory authority, but which differs from the six (6)-month period provided for by German federal law.
The requests for preliminary rulings before the CJEU were based on the one hand, on (i) the scoring activity carried out by SCHUFA and, on the other hand, (ii) the opposition to the time limits for keeping records of outstanding debt by the same organisation (such as public insolvency registers).
The first decision, in Case C-634/21, concerned the interpretation of Article 6(1) and Article 22 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as “GDPR”) and was filed following a dispute between citizens affected by SCHUFA's activity and the federal state of Hesse, regarding the refusal by the “Data Protection and Freedom of Information Commissioner” of that state to order SCHUFA to grant a request submitted by those citizens aimed at accessing and deleting personal data concerning them.
When asked to rule on the matter, the CJEU ruled that the “scoring” carried out by SCHUFA should be considered an “automated individual decision”, which, in principle, is prohibited by the GDPR, when SCHUFA's customers, such as banks, give it a decisive role in granting credit.
The second judgment, delivered in joined cases C-26/22 and C-64/22 (SCHUFA Holding), concerns the interpretation of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, as well as Article 6(1), first subparagraph, point (f), Article 17(1)(d), Article 40, Article 77(1) and Article 78(1) of the GDPR, and was based on two disputes between two entities and the federal state of Hesse concerning the refusal of the “Data Protection and Freedom of Information Commissioner” of that state to order SCHUFA to delete data it had stored relating to the discharge from the remaining debt in favour of those entities.
In this case, the CJEU ruled that it was contrary to the GDPR for private agencies such as SCHUFA to keep data for a longer period than the public insolvency register under German law. The rationale for this judgement is based on the assumption that the purpose of the information relating to the “discharge from the remaining debt” is to enable the target entity to participate in economic life once again, which is why this information is crucial to those involved - since it can result in a negative judgement about the solvency of a given entity.
In the case hereunder, given the time limit set by the German lawmaker, the CJEU held that, once this time limit had expired, the rights and interests of the data subject took precedence over the other interests involved in obtaining this information.
The CJEU held that keeping the information for more than six months was unlawful and, therefore, the data subject was entitled to have the data deleted and SCHUFA was required to delete it without undue delay.
It will now be up to the Wiesbaden Administrative Court to weigh up the interests at stake for the purposes of assessing the lawfulness of storing the information and to assess whether German federal data protection law contains, in line with the GDPR, a valid exception to this prohibition. If this is the case, the Administrative Court must also check whether the general conditions laid down in the GDPR for data processing are met. In any case, even if the court finds that the storage is lawful, the data subject still has the right to object to the processing of their data.
It should be noted that the CJEU's position will be taken into account by the competent national courts and their supervisory authorities in situations similar to those described.
[1] Hessischer Beauftragter für Datenschutz und Informationsfreiheit (Data Protection and Freedom of Information Commissioner for the Federal State of Hesse, Germany)