In cases against SCHUFA, a German credit information provider, the advocate general at the Court of Justice of the EU (CJE), Mr Pikamäe, has presented his opinion on the case. He advised that the automated establishment of a probability concerning the ability of a person to service a loan constitutes profiling under the GDPR. Further he was of the opinion that the storage of data by a private credit information agency cannot be lawful once the personal data concerning insolvency have been erased from public registers.

From the press release, the case:

Case C-634/21 concerns proceedings between a citizen and Land Hessen, represented by the Data Protection and Freedom of Information Commissioner for Hesse (the ‘HBDI’), regarding the protection of personal data. As part of

its economic activity, which consists in providing its clients with information on the creditworthiness of third parties, SCHUFA Holding AG (‘SCHUFA’), a company governed by private law, provided a credit institution with a score for the

citizen in question, which served as the basis for the refusal to grant the credit for which the latter had applied. The citizen subsequently requested SCHUFA to erase the entry concerning her and to grant her access to the corresponding data. The latter, however, merely informed her of the relevant score and, in broad outline, of the principles underlying the calculation method for the score, without informing her of the specific data included in that calculation or of the relevance accorded to them in that context, arguing that the calculation method is a trade secret.

On the opinion:

In his Opinion, Advocate General Priit Pikamäe states, first of all, that the GDPR establishes a ‘right’ for the person concerned not to be subject to a decision based solely on automated processing, including profiling.

The Advocate General then finds that the conditions for that right are satisfied because:

1. the procedure at issue constitutes ‘profiling’,
2. the decision produces legal effects concerning the person concerned or similarly significantly affects him or her, and
3. the decision is based solely on automated processing.

The provision of the GDPR laying down that right is therefore applicable in circumstances like those in the main proceedings.

The Advocate General points out that, under another provision of the GDPR, the person concerned has the right to obtain from the controller not only confirmation as to whether or not personal data concerning him or her are being processed, but also other information, such as on the existence of automated decision-making, including profiling, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the person concerned. He considers that that the obligation to provide ‘meaningful information about the logic involved’ must be understood to include sufficiently detailed explanations of the method used to calculate the score and the reasons for a certain result. In general, the controller should provide the person concerned with general information, notably on the factors taken into account for the decision-making process and on their respective weight on an aggregate level, which is also useful for him or her to challenge any ‘decision’ within the meaning of the GDPR, recognising the ‘right’ not to be subject to a decision based solely on automated processing, including profiling.

The Advocate General takes the view that that provision is to be interpreted as meaning that the automated establishment of a probability value concerning the ability of the person concerned to service a loan in the future already constitutes a decision based solely on automated processing, including profiling, which produces legal effects concerning that person or similarly significantly affects him or her, where that value, determined by means of personal data relating to that person, is transmitted by the controller to a third-party controller and the latter, in accordance with consistent practice, draws strongly on that value for its decision on the establishment, implementation or termination of a contractual relationship with that same person.

Other cases concerned the requests made to ensure the deletion of an entry relating to discharge from remaining debts from the records of SCHUFA. The agency has entered published information relating to early discharges from remaining debts in its own databases, but SCHUFA does not delete it until three years after entry. The questions referred by the national court concern, among other things, the question of the lawfulness of the storage of personal data from public registers by credit information agencies.

In the second place, the Advocate General states that, under the GDPR, the processing of personal data may be lawful, inter alia, when the three following cumulative conditions are satisfied:

– first, the pursuit of a legitimate interest by the data controller or by the third party or third parties to which the data are communicated,
– second, the need to process personal data for the purposes of the legitimate interest pursued, and
– third, the fundamental rights and freedoms of the person concerned by the data protection do not take precedence.

Mr Pikamäe observes that the considerable negative consequences that the storage of data will have on the person concerned after the period of six months in question seem to override the commercial interest of the private agency and its clients in storing the data after that period. In this context, he points out that the discharge from remaining debts granted is intended to allow the beneficiary to re-enter economic life. That objective would be frustrated if private credit information agencies were authorised to store personal data in their databases after the data have been erased from the public register

The Advocate General takes the view that the storage of data by a private credit information agency cannot be lawful, under the provision of the GDPR laying down the conditions set out above, once the personal data concerning insolvency have been erased from public registers. As regards the period of six months during which the personal data are also available in public registers, it is for the referring court to balance the abovementioned interests and impacts on the person concerned in order to determine whether the parallel storage of those data by private credit information agencies is lawful on that basis.

In the third place, the Advocate General points out that the GDPR provides a right for the person concerned to obtain the erasure of his or her personal data where he or she objects to the processing or where those data have been unlawfully processed. In the Advocate General’s view, in such situation, the person concerned therefore has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay. It is for the referring court to examine if, exceptionally, there are overriding legitimate grounds for the processing.

More information:

• Press release on Advocate General’s Opinion in Case C-634/21 | SCHUFA Holding and Others (Scoring) and in Joint Cases C-26/22 and C-64/22 SCHUFA Holding and Others (Discharge from remaining debts).
• The opinions: case C-634/21 ECLI:EU:C:2023:220 (scoring), NL version; cases C-26/22 and C-64/22 ECLI:EU:C:2023:222 (discharge from remaining debts), NL version.