1. Background
Schufa is a credit rating agency in Germany. Whether German consumers are eligible for loan or may invoice their purchases depends on factors such as their Schufa score.
Schufa calculates this score based on large amounts of personal data. However, the company does not disclose exactly how this is done.
This information is particularly of interest to people who may have been denied loans based on their score. The European Court of Justice (ECJ) has now examined whether the Schufa scores and their use by other companies are permissible under the General Data Protection Regulation (GDPR).
2. The ruling
The ECJ says: Companies may not use the score as the sole or decisive basis for a contractual decision. This is because even the calculation of the credit score value would then constitute a so-called “automated decision in individual cases”, which is not permitted under the GDPR. One of the reasons for this is that both companies as well as consumers are unable to understand how this score is calculated.
3. What do companies need to keep in mind?
If the decision to conclude a contract with a data subject is “significantly” based on their respective Schufa score, the ECJ ruling states this is not GDPR compliant.
Although the ECJ’s findings only formally apply to Schufa, they can be applied to all credit rating agencies. Where credit scores form the basis for whether a contract should be concluded or not, the company must demonstrably ensure that this value is only one of several criteria and that the final decision is made by employees.
When using credit scores, fox-on recommends creating binding criteria for these decision-making processes in the form of a policy or guidelines for employees (also ensuring that the final decision is made by employees) and to record this in your own data protection documentation (e.g. in foxondo).
4. Outlook
German credit agencies have so far relied on an exception in Section 31 of the Federal Data Protection Act (BDSG) in their scoring practice. The legality of this is currently being examined by German courts. The Federal Government has already announced a new regulation in the BDSG in order to create the conditions for a scoring practice that complies with European law. We are monitoring the issue and will inform you as soon as there is any news.
Summary
Automated decision making with legal consequences for data subjects are not permitted under the GDPR. Companies should therefore not base their decisions to grant loans or credit solely on a customer’s Schufa score or other credit rating score. If you have any questions, please do not hesitate to contact fox-on.