Background of the Judgment: Fundamental Questions on Data Transmission to Credit Agencies
On November 12, 2025, the Federal Court of Justice (BGH) made a decision regarding the admissibility of the transmission of so-called “positive data” by mobile phone companies to credit agencies like SCHUFA (Case No.: VI ZR 431/24). The central issue in the proceedings was whether the transfer of credit-relevant, positive contract information – such as about a valid mobile phone contract – meets data protection requirements. This decision is of significant relevance for the economy, particularly for service providers, credit institutions, and investors, with respect to risk assessment and business transactions.
Positive Data and Their Significance for Economic Life
Classification of Positive Data in the Context of Credit Checks
Positive data are details about the establishment, existence, and proper fulfillment of contractual obligations. In contrast to negative data, such as payment defaults or contract disruptions, positive data highlight the reliability and willingness of a person to fulfill obligations in business transactions. Credit agencies use such information to create credit ratings, which serve as an indicator for contracting parties of the economic trustworthiness of potential business partners.
The transmission of these data is typically carried out relying on Article 6 (1) (f) of the General Data Protection Regulation (GDPR), which allows the processing of personal data based on legitimate interests. The interest of the economy in effective risk management regularly stands in tension with the protective rights of affected individuals on information self-determination.
Scope of Application in the Mobile Sector
In particular, mobile phone providers face the challenge of managing large volumes of personal data and sometimes passing it to credit agencies. This results in obligations for companies to process data carefully. At the same time, effective identity and credit checks with respect to payment behavior are indispensable to prevent abuse and ensure the liquidity of one’s own company.
Judgment and Reasoning of the Federal Court of Justice
Data Security versus Legitimate Interest
In its ruling, the BGH clarified that the transmission of positive data to credit agencies is permissible, provided that essential legal requirements are met. In the specific case, the Senate advocated for the overriding legitimate interest of the companies obligated to provide information. According to the court’s view, knowledge of positive data allows for a more objective credit assessment, which ultimately benefits legal transactions.
A crucial role was played by the balance between the right to data protection of the affected person and the interests of the company as well as the general public in reliable credit indicators. The BGH particularly relied on the fact that the use and transmission of the data contribute to a legally secure business relationship and minimize the risk of abuse in concluding contracts with unknown contract partners. At the same time, the court emphasized that processing must be carried out in compliance with the principles of data minimization and transparency.
Limits of Data Processing According to the GDPR
The BGH highlighted the requirements of the General Data Protection Regulation in terms of legality, purpose limitation, and information obligation as decisive. Accordingly, companies must ensure that affected individuals are informed about the type of data processed, the purpose of transmission, and the possibility of objections. The crucial factor here is maintaining the balance between economic necessity and the protection of personal rights.
Consequences for Companies and Affected Individuals
Impacts on Various Industries
The BGH’s decision is meaningful beyond the mobile industry for all economic sectors where credit information is collected and processed. Banks and financial service providers, landlords, and mail-order companies also often rely on information from credit agencies to minimize risks. The now confirmed permissibility of transmitting positive data expands the database for credit checks and provides companies with a more accurate picture of potential contract partners.
Data Protection Control Mechanisms and Rights of Affected Individuals
Affected individuals retain extensive rights under the applicable provisions of the GDPR. These include particularly rights to information about stored data, rights to rectification in case of inaccuracies, and the right to deletion, provided the data processing is not necessary or is carried out unlawfully. Companies remain obligated to incorporate data protection principles into the operational process and to handle objections or deletion requests appropriately.
Outlook and Open Questions
With the judgment, the BGH sets an essential guideline for balancing economic interests in comprehensive credit information with the data protection interests of affected individuals. It remains to be seen to what extent further judicial clarification regarding issues around the necessity of consent, the scope of data processing, and the development of technical security measures will take place.
Companies, investors, and wealthy private individuals are challenged by the ongoing digitalization to manage the balancing act between compliance, effective risk management, and data protection. Should you have further questions about the legal framework for data processing, banking or data protection issues related to credit information, or the legally secure design of business processes, please find more information onLegal Advice in Banking Law at MTR Legal.
