CJEU considers credit score an automated individual decision under the GDPR
12 February 2024
On 7 December 2023, the Court of Justice of the European Union ("CJEU") issued two landmark judgments in proceedings against the German Credit Reference Agency SCHUFA (C-26/22 and C-64/22) which limit the retention period for credit reporting agencies, confirm the application of erasure in such credit reporting cases and provide more certainty on the scope judicial review of DPA decisions.
The CJEU considers the automated assignment of automatically calculated credit scores as automated decision-making (Art. 22 GDPR). The CJEU interprets the term "decision" in Art. 22 para. 1 GDPR broadly. Even the mere establishment of a credit score value represents an automated decision, as the credit score will typically have a significant impact on the subsequent decision of a third party which relies on the credit score, e.g. in case of credit applications. The CJEU sees a gap in legal protection of data subjects in tripartite relationships. In particular because the data subject would not have an efficient right of access in relation to the logic behind the automated decision making: On one hand, the data subject does not have a right of information with respect to the existence of and the logic behind the automated decision making (Art. 15 para. 1 lit. h GDPR) against the credit agency, as the latter does not conduct decision-making. On the other hand, the data subject does not have an effective right to information about the automated decision-making process against the third party making the decision (e.g. the bank) as the latter does not have the relevant information on the decision-making process. The CJEU held that this gap of legal protection and the missing right of access contradict the purpose of Art. 22 GDPR to protect the data subjects against significant effects of automated processing on their privacy rights and freedoms.
The CJEU has left open whether such automated decision making by Schufa could be justified under current member state law (Art. 22 para. 2 lit. b GDPR, Section 31 Federal Data Protection Act (BDSG)). It is now for the German courts to decide whether Section 31 BDSG provides "suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests" (Art. 22 para. 2 lit. b GDPR).
The CJEU further held that credit reporting agencies must delete data which they had collected from public registers within a certain period after the information is no longer available in the public register. The CJEU sees legitimate interest as the only valid legal basis for data processing by credit reporting agencies (Art. 6 para. 1 lit. f GDPR) and that such legitimate interest cannot justify processing of personal data by Schufa beyond the retention period which applies to public registers. Under German law, public registers may not publish information about insolvency proceedings for longer than six months after the end of the relevant proceedings. The CJEU holds the legitimate interest of private sector actors, like SCHUFA, cannot justify a longer retention period for data obtained from a public register than that which applies to public registers. Beyond that, it is for the national court to decide whether the processing of personal data during this six month timeframe is strictly necessary in order to achieve the legitimate interest pursued. The CJEU also held that Schufa cannot base its processing on its code of conduct which had been approved by the competent data protection authority, given that a code of conduct will not substitute a missing legal basis as already noted on page 3 in the codes of conduct (Codes of Conduct for German Credit reporting agencies).
In this context, the CJEU restated the data subjects' right to object to any processing based on Article 6 para. 1 lit. e or f under Article 21. It noted that the controller must cease to process the personal data unless the controller can demonstrate compelling legitimate ground to continue processing that overrides the data subjects' interest, in case data subject objects.
Finally, the CJEU confirmed that national courts have extensive powers to scrutinize the decisions of data protection authorities.
The CJEU finally strengthened the data subjects' rights by explicitly rejecting the data protection authority's position that the GDPR grants individuals only a limited right of judicial review in cases where a DPA has handled a complaint, investigated it and confirmed the outcome to the complainant. Rather, the data subject has the right to request a full judicial review of any decision by a DPA.
Authors: Alexander Duisberg, Partner; David Plischka, Junior Associate.
