Significant clarifications by the European Court of Justice on the role of the SCHUFA score in credit rating assessments
On December 7, 2023, the European Court of Justice (ECJ) issued decisions in several reference proceedings (Case Nos. C-634/21, C-26/22, and C-64/22) that fundamentally revise previous understandings regarding the processing and use of the so-called SCHUFA score. The judgments concern key aspects of the General Data Protection Regulation (GDPR), creditworthiness assessments, and the balancing of data protection interests between affected individuals and credit reference agencies.
Background of the decision
The cases concerned complaints from citizens who objected to the automated processing and material use of SCHUFA scores by banks and other business partners in the context of credit decisions. The central issue was to determine whether and to what extent the algorithm-based score may be decisive for credit granting—for instance, during loan applications, leasing contracts, or the conclusion of agreements.
Data processing and automated decision-making
The score as personal profiling
The ECJ clarified that the generation of a SCHUFA score constitutes a form of “profiling” within the meaning of Art. 4 No. 4 GDPR. Here, data, especially on payment and contractual reliability, is aggregated, analyzed, and converted into a numerical assessment. This creates a personal risk profile that is made available to banks and other business partners.
Decisiveness within the meaning of the GDPR
Of particular importance is the finding that the exclusive or predominant use of such a score for the decision on whether to conclude or reject a contract constitutes an automated individual decision within the meaning of Art. 22 GDPR. The guiding question is whether a human review still takes place, or whether the numerical score result is de facto binding for the decision.
Impacts on business practices of credit institutions and credit reference agencies
Permissibility of automated decisions
According to the judgments, banks, insurers, and other contractual partners are no longer permitted to use the SCHUFA score as the sole or predominantly decisive factor unless adequate measures have been implemented to ensure an additional individual assessment. The scoring information may only serve a supporting function.
Transparency and rights to information
The judgments further underline the right of affected individuals to transparent information pursuant to Art. 15 GDPR. Companies are obliged to disclose the extent to which and the data basis on which the score is calculated, as well as how this score was used in the decision-making process.
Further legal issues: regulation of historical entries and data deletion
Processing of debt discharge information
Another key issue was the handling of information regarding debt discharges obtained and their storage in the context of scoring processes. The ECJ clarified that national provisions allowing such data to be stored beyond the period specified by public registers are not compatible with Union law. This means that ongoing storage and use of such entries by agencies like SCHUFA may become impermissible once the relevant information has been deleted by state registers.
Erasure claims and corrections
As a result of the decisions, affected individuals have an enhanced right to the erasure or correction of inaccurate or outdated score-related data. In particular, data concerning debt discharges may not be stored for longer than provided for in public registers.
Implications for the credit industry and contractual practice
The ECJ’s rulings not only clarify the interpretation of the GDPR in connection with creditworthiness checks, but also impact fundamental business models of credit reference agencies and credit institutions. Banks and insurance companies are now required to adapt their credit assessment processes to multilateral decision-making bases to prevent purely automated rejections based on a score in the future.
Requirements for grounds of decisions
In the future, detailed documentation and, where appropriate, human review of individual cases will be necessary to comply with the ECJ and GDPR requirements. The decisions strengthen consumers’ legal position and raise the bar for transparency and traceability in the handling of personal data.
Potential practical implications
In view of these rulings, it can be expected that both data disclosure practices and credit assessment processes in many companies will need to adapt fundamentally. In parallel, data protection supervisory authorities will monitor correct implementation and intervene when necessary.
Conclusion and outlook
The recent ECJ decisions mark a milestone in data protection law and bring significant legal developments regarding the handling of scoring data, in particular the SCHUFA score. The scope of these rulings is not limited to the credit industry alone, but extends to credit assessment practices as a whole. Companies, banks, and credit reference agencies are called upon to thoroughly reconsider their decision-making processes to comply with Union law requirements.
As a result, new challenges and questions arise for companies, investors, and individuals, particularly with regard to data protection-compliant internal processes, the balancing of interests in credit checks, and ensuring rights to information and correction.
In the case of complex issues and individual concerns raised by the new ECJ jurisprudence and its implementation in practice, targeted legal assessments can provide clarity.
Note: This article is for information purposes only. For further questions, the Rechtsanwalt from MTR Legal will gladly draw upon their extensive experience in banking, data protection, and contract law.
