Skip to main content
Please wait...

 Database index

Case Law

CJEU, 7 December 2023, Schufa Holding (Scoring), Case C-634/21

Country
European Union
Decision date
Deciding body
Court of Justice the European Union
Deciding body (Original name)
Court of Justice the European Union
ECLI
ECLI:EU:C:2023:957
Type of Court (material scope)
European Court
Type of jurisdiction
Single jurisdiction system
Type of Court (territorial scope)
Supranational Court
Instance
Preliminary ruling
Status
Final
Project area
AI and consumer markets
Law area
Privacy / data protection
Consumer protection

General Summary

SCHUFA Holding AG, a private company under German law, provides its contractual partners with information on the creditworthiness of persons. To that end, it assigns to each person a score, which it establishes based on certain characteristics of that person, on the basis of mathematical and statistical procedures.

After having been the subject of negative information established by SCHUFA and transmitted to a credit institution, OQ was refused, by that institution, the granting of a loan. OQ applied for SCHUFA to give her access to the data concerning her and to erase the data which was allegedly incorrect. SCHUFA, however, only sent her score to her and, in broad terms, the methods for calculating that score, referring, for the remainder, to trade secrecy.

OQ then lodged a complaint against SCHUFA before the Data Protection and Freedom of Information Commissioner for the Federal State of Hesse (the HBDI), which was rejected by the latter on the ground that SCHUFA’s activity complied with the German legislation governing the terms of use of a probability value relating to creditworthiness.

Hearing an appeal by OQ against the decision of the HBDI, the Verwaltungsgericht Wiesbaden (Administrative Court, Wiesbaden, Germany) asked the Court of Justice for an interpretation of article 22 GDPR regarding the right of the data subject not to be subject to a decision based solely on automated processing, including profiling.

In its judgment, the Court interprets, for the first time, article 22 GDPR. It decides on the question of whether the automated establishment by a credit information agency of a probability value concerning the ability of a person to meet payment constitutes automated individual decision-making and therefore falls within the scope of application of those provisions.

Facts of the case

The dispute in the main proceedings is the following. SCHUFA is a private company under German law which provides its contractual partners with information on the creditworthiness of third parties, in particular, consumers. To that end, it establishes a prognosis on the probability of a future behaviour of a person (‘score’), such as the repayment of a loan, based on certain characteristics of that person, on the basis of mathematical and statistical procedures.

OQ was refused the granting of a loan by a third party after having been the subject of negative information established by SCHUFA and transmitted to that third party. OQ applied for SCHUFA to send her information on the personal data registered and to erase some of the data which was allegedly incorrect. In response to that request, SCHUFA informed OQ of her score and outlined, in broad terms, the methods for calculating the scores. However, referring to trade secrecy, it refused to disclose the various elements taken into account for the purposes of that calculation and their weighting. Lastly, SCHUFA stated that it limited itself to sending information to its contractual partners and it was those contractual partners which made the actual contractual decisions.

By a complaint lodged on 18 October 2018, OQ asked the HBDI, the competent supervisory authority, to order SCHUFA to grant her request for access to information and erasure. By decision of 3 June 2020, the HBDI rejected that application for an order. OQ appealed against that decision before the Administrative Court (Wiesbaden, Germany), in accordance with Article 78(1) of the GDPR.

Measures, actions, remedies claimed
  • The request for a preliminary ruling has been made in proceedings between OQ and the Land Hessen (Federal State of Hesse, Germany) concerning the refusal of the the HBDI to order SCHUFA to grant an application lodged by OQ seeking to access and erase pers
Individual / Collective enforcement
Individual action
Nature of the parties
  • Private individual
  • Public
Reasoning of the deciding court

First of all, the Court finds that the three cumulative conditions of applicability of the article 22 GDPR which govern the right of the person not to be the subject of a decision based solely on automated processing, including profiling, are met in the present case.

As regards the first condition, relating to the existence of a decision, the Court specifies that the concept of ‘decision’ has a broad scope and may encompass the result of calculating a person’s creditworthiness in the form of a probability value concerning that person’s ability to meet payment commitments in the future.  Concerning the second condition, according to which the decision must be ‘based solely on automated processing, including profiling’, it is common ground, that the activity of the company in question meets the definition of ‘profiling’ (article 4.4 GDPR). As regards the third condition, according to which the decision must produce ‘legal effects’ concerning the person at issue or affect him or her ‘similarly significantly’, the Court notes that, in the present case, the action of the third party to whom the probability value is transmitted draws ‘strongly’ on that value. An insufficient probability value leads, in almost all cases, to the refusal of that bank to grant a loan.

The Court concludes that, in the event that the probability value established by a credit information agency plays a determining role in the granting of credit, the establishment of that value must be qualified in itself as a decision producing ‘legal effects concerning him or her or similarly significantly [affecting] him or her’, within the meaning of Article 22(1) GDPR.

The Court points out that that interpretation reinforces the effective protection intended by the GDPR. On the other hand, a restrictive interpretation, according to which the establishment of the probability value must only be considered as a preparatory act and only the act adopted by the third party can, where appropriate, be classified as a ‘decision’, would lead to a lacuna in legal protection. In that situation, the establishment of such a value would escape the specific requirements provided for in article 22 GDPR. Furthermore, the data subject would not be able to assert, from the credit information agency, his or her right of access to the specific information (article 15.1), h) GDPR).

Lastly, the Court notes that the fact that the establishment of a probability value is covered by article 22 GDPR has the consequence that it is prohibited unless one of the exceptions is applicable and the specific requirements provided for in the GDPR are complied with. In this context, the Court notes that the referring court refers to the exception according to which the adoption of the decision based solely on automated processing may be authorised where this is provided for by the law of the Member State. In this respect, it states that it is for that court to verify whether the national legislation governing the terms of use of a probability value relating to creditworthiness can be classified as a legal basis authorising the adoption of such a decision and, if so, whether the conditions laid down in the GDPR are fulfilled in this case.

Conclusions of the Court

The Court of Justice the European Union (Frist Chamber) rules that article 22(1) GDPR must be interpreted as meaning that the automated establishment, by a credit information agency, of a probability value based on personal data relating to a person and concerning his or her ability to meet payment commitments in the future constitutes ‘automated individual decision-making’ within the meaning of that provision, where a third party, to which that probability value is transmitted, draws strongly on that probability value to establish, implement or terminate a contractual relationship with that person.

AI system(s) involved
  • General purpose AI

Fundamental rights involved
  • Right to data protection
  • Right to privacy
  • Right to non-discrimination
Principles expressly applied
  • Accountability
  • Explainability
  • Non-discrimination
  • Transparency

Case author
Rosa Milà Rafel
Universitat Pompeu Fabra