EU court ruling on the recast of data retention and automated credit scoring: implications for credit institutions under the GDPR
The European Court of Justice (ECJ) has ruled in a case concerning Schufa and data protection that the automated creation of creditworthiness assessments by Schufa violates EU law if it is used as a decisive basis for credit decisions.
In addition, credit reference agencies may not store data from public registers, such as insolvency court registers, for longer than the insolvency court itself. This decision could have far-reaching implications for the business model of credit reference agencies and their interfaces with other companies such as banks and retailers, as it directly affects the practices of credit reference agencies such as Schufa. It calls into question the permissibility of the automated creation of credit scores and the long-term storage of data from public registers. This could mean that Schufa and similar companies will have to revise their data collection and processing procedures in order to comply with the requirements of the GDPR. This in turn may have implications for banks, retailers and other businesses that use such data.