• Blog
  • SCHUFA: ECJ Rules Credit Agency Processes Violate GDPR

SCHUFA: ECJ Rules Credit Agency Processes Violate GDPR

Simon Coulthard December 11, 2023

4-minute read

The European Court of Justice (ECJ) has ruled that the data practices of SCHUFA Holding AG - a leading German consumer credit reporting company - may contravene the EU General Data Protection Regulation (GDPR).

This decision has far-reaching implications, placing pressure on businesses to align credit decision-making practices with GDPR requirements.


Unlock Your Full Potential

Our advanced website intelligence solution will enable anyone to grow their website quickly, while protecting visitor data rights. Sign up for free today, remove your ugly cookie banner, and supercharge data collection!


SCHUFA is Germany's largest credit agency. It holds records on 68 million people and six million companies, and carries out 165 million credit checks every year. It's short for Schutzgemeinschaft für allgemeine Kreditsicherung, which roughly translates to “general credit protection agency.”

SCHUFA rates creditworthiness with a system known as scoring, which refers to a mathematical-statistical procedure that predicts the probability of a person's future behavior. The company uses data on payment history, which it receives from companies belonging to the credit protection network.

This all happens behind the scenes, and without the express permission of data subjects, making this ECJ case important to the wider credit agency industry, financial services, and beyond.

A low SCHUFA score acts as a barrier to many essential services in German life. It can, for instance, stop people being able to rent an apartment, get a credit card, or sign up to a broadband contract.

What Did the ECJ Rule?

Last week (7th December), the ECJ passed a ruling on two proceedings (C-634/21 and joined cases C-26/22 and C-64/22) that have implications on the business practices around scoring by credit agencies. It focused on two main legal issues regarding SCHUFA:

  1. The company's "prolonged" data retention practices: SCHUFA stores historical financial data on its own databases for three years - longer than the six-month data-retention period set by German insolvency laws.
  2. Whether SCHUFA has the right to automatically issue credit scores when the GDPR restricts these processes when the result may have a significant impact on EU citizen(s).

Origin of Case Against SCHUFA

The ruling against SCHUFA arose from a dispute between the company and an individual (OQ) who was denied credit based on their credit rating. OQ requested all the data held by SCHUFA on them and to erase some allegedly incorrect information. In response, SCUFA refused to disclose what information was used to calculate their credit score and weighting.

Central to this case was the question of whether SCHUFA's processes for creating consumer credit scores constitute an "automated decision" under Article 22 of the GDPR. There was also the issue of accountability since it's not SCHUFA themselves that makes the decision, but instead the third-party companies that people apply to.

Given this, the case was referred to the ECJ by the Administrative Court of Wiesbade for a preliminary ruling, and particularly in regard to the rights and protections afforded to individuals against automated decision-making and profiling under GDPR.

ECJ Ruling Against SCHUFA

Legitimate Data Retention Duration

The ECJ ruled that the prolonged retention of data relating to approving a discharge from debt violates GDPR. It ruled that it is "contrary to the GDPR for private agencies to keep such data for longer than the public insolvency register [being six months]".

And after this point, credit agencies can only continue storing this data if they can prove legitimate interest as per Article 6 Paragraph 1 GDPR.

It stated that data subjects have the right to have their data deleted on request, and that SCHEFA is then obliged to act on this request and to delete this data as soon as possible.

The court also ruled that a credit agency is not allowed to process data from publicly available sources for longer than the data is still available from this source.

Right to Automatically Issue Credit Scores

The ECJ held that SCHUFA's credit rating system constitutes an "automated individual decision" which is, “prohibited in principle by the GDPR, in so far as SCHUFA's clients, such as banks, attribute to it a determining role in the granting of credit.”

Put another way, the court has ruled that any type of automated scoring is illegal if it significantly impacts the lives of data subjects - as is the case with credit scoring.

Other Rulings

The court also ruled that thee Wiesbaden Administrative Court (ACW) must now clarify whether German law provides a permissible exception for scoring. This court is part of the German judicial system and specializes in handling cases related to administrative law.

And if this was the case, the ECJ declared that the ACW had to check whether the requirements laid out by the GDPR had been met, for instance that individuals were made aware of their right to object to an automated decision and to get a human decision instead. It also stated that credit agency data subjects had the right to receive a justification for their credit rating on request.

Secondly, the ECJ also underlined that responsibility of national courts to conduct a "full review" of any legally binding decisions of their data protection authority.

Wider Business Implications

This decision is the first ruling on on automated individual decision-making since GDPR arrived back in 2018, and it has far-reaching implications that go beyond SCHUFA and the wider credit scoring industry:

  • The process of credit agency scoring is now illegal under GDPR, meaning companies must review and adapt their systems.
  • The data used to build credit scores must be checked to see whether it's legitimate, regardless of whether automated decision-making is used.
  • Any consent required to secure credit-based decisions must bee checked for legitimacy. And with automated decision-making, consent is only effective is the correct decision is covered by the consent, if applicable.
  • Score values that are no longer up to date or where there is a risk that they were calculated illegally must be deleted.
  • Companies can use credit scrores when reviewing the creditworthiness of applicants, but only if it is not the sole basis for their decision.


TWIPLA is a leading provider of privacy-first analytics, with a complete web intelligence solution of advanced features. Our platform complies with every data laws by default, enabling 2.5 million users to collect more data, with higher accuracy of insight, and without needing a cookie a consent banner.

Get Started for Free

Gain World-Class Insights & Offer Innovative Privacy & Security