The referral relates to the complaints that were recently brought against the practices of a German credit scoring company entitled Schufa, but it could have a wider significance for credit information agencies that are operating in the areas where the General Data Protection Regulation (GDPR) applies. Following this announcement, credit scoring companies that operate in the European Union could face tighter curbs under the bloc’s privacy laws and requirements, following a ruling issued by the Court of Justice (CJEU0).
The Court considers that it is contrary to the GDPR for private agencies and firms to keep such data for longer than the public insolvency register. The discharge from the remaining debts should be intended to allow the data subject to re-enter economic life, as it is important to that customer. According to TechCrunch+, the information is still used as a negative factor in the procedure of assessing the solvency of the data subject. While the retention of data is still represented as unlawful, the data subject has the right to have the information deleted, and the agency is obliged to delete it as soon as possible as well.
One complaint that was considered centered by the Court of Justice (CJEU) was related to the case of `prolonged` data retention by the credit referencing company of information, which related to the process of granting a discharge from remaining debts that are only kept in the German public insolvency for the next six months. In this case, however, a code of conduct for German credit information agencies is set to allow a retention period of three years for their own databases. The Hessian Data Protection Authority dismissed the complaint about data retention, seeking to argue the local court could not review its decision, but the CJEU disagreed.
The CJEU also ruled a second complaint that is important for credit scoring companies, as the questions were regarding whether Schufa can automatically issue credit scores or not, given that the GDPR provides protections for individuals subject to automated decisions, with legal or significant impact on them. The Court held that the company’s credit scoring must be regarded as an automated individual decision, which is not allowed in principle by the GDPR, as Schufa’s customers attributed to an important role in the granting of credit.
In addition, the CJEU also mentioned that national courts need to be able to exercise the full review over any legally binding decision of data protection authority.
This pair of rulings follow another handed down by the CJEU, which legal experts suggested could result in significantly higher penalties for breaches of the GDPR, as it lowers the overall requirements for imposing fines on legal entities. In addition, it was also mentioned that where a controller is a legal person, it is not necessary for the infringement to be committed by its management body, or for the body to have knowledge of that infringement. It was further stipulated that the calculation process of any fine requires the supervisory authority to take as its basis the concept of an undertaking competition law. In addition, another way to look at it was that the revenue of the entire group was to be used in the procedure of calculating the GDPR penalty for an infringement committed by a single unit of that group.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now