When companies report outstanding debts to credit agencies such as Schufa, they should proceed very carefully: This is because if the main claim and secondary claim cannot be clearly separated from each other, this may constitute an impermissible transfer of data - and therefore a breach of the General Data Protection Regulation (GDPR). This was decided by the Schleswig-Holstein Higher Regional Court (case no.: 17 U 2/24).
Negative entry with Schufa
A man objected to a negative report from a debt collection agency at Schufa. The reported claim resulted from an electricity supply contract that had been terminated without notice due to payment arrears. However, the claim also included ancillary claims such as reminder and transfer fees, the legal basis of which was disputed. In addition, the plaintiff denied that he had ever received proper notification of the registration.
In his lawsuit before the Kiel Regional Court (LG), the man demanded, among other things, the deletion of the negative entry at Schufa and at least 5,000 euros in damages in accordance with Art. 82 GDPR. The Regional Court awarded him 500 euros in damages and ordered the debt collection company to revoke the negative entry with Schufa. The debt collection company appealed against the first-instance judgment.
Information for score calculation must be correct
In particular, the OLG examined the legal requirements for the legality of Schufa reports:
According to Art. 6 para. 1 lit. f GDPR, the processing of personal data is only lawful if there is a legitimate interest that does not outweigh the interests of the data subject. This balancing was carried out taking into account the criteria of Section 31 (2) BDSG.
In this regard, the Schleswig-Holstein Higher Regional Court states: "However, the information about a due claim that has not been settled in accordance with the contract is relevant to protection in a similar way to the determination of a score value. Score values are also sensitive information about a person that provides information about their ability or willingness to pay. In addition, the purpose of Section 31 BDSG, which is intended to protect commercial transactions in the case of scoring and creditworthiness information, and the lack of a separate regulation on the transmission of personal data, means that the legislator implicitly presupposes that only claims that meet the requirements of Section 31 (2) BDSG are legitimately transmitted and used to determine score values."
The court clarified that ancillary claims such as reminder fees or default costs do not allow the same conclusions to be drawn about a debtor's ability or willingness to pay as the main claim. The registration of a claim that includes such items and is not clearly limited to the main claim is unlawful.
In accordance with Section 31 (2) sentence 1 no. 5 BDSG, the debtor must also be informed of a possible report to Schufa prior to registration. As the receipt of the corresponding reminders could not be proven either, the notification was unlawful.
Compensation for damages according to Art. 82 GDPR
Although the entry was unlawful, the court did not consider immaterial damage to be sufficiently proven. The plaintiff had not been able to plausibly demonstrate that the entry was causal for the refusal to conclude the contract or for creditworthiness problems.
Reading tip: Schufa ruling on credit reports
Significance of the Schufa ruling
The ruling tightens the requirements for companies when transmitting data to credit agencies. The following points in particular should be emphasized:
- Stricter verification obligations for the composition of receivables
Companies must ensure that only receivables that allow conclusions to be drawn about creditworthiness are reported. - Documentation requirements for the notification
The receipt of information about a possible application must be carefully documented, otherwise the application can be contested. - Influence of the statute of limitations
The continuous reporting of claims that are already time-barred is only permissible under strict conditions, as this would significantly impair the interests of the person concerned that are worthy of protection.
The ruling by the Higher Regional Court of Schleswig-Holstein is an important landmark decision that encourages companies to handle personal data responsibly and to comply closely with the GDPR and the BDSG. It shows that data protection law not only serves to protect data subjects, but also specifies the requirements for economic operators.
Source: Judgment of the Schleswig-Holstein Higher Regional Court Ref.: 17 U 2/24 of 24.11.2024
English 
German 
Italian 
French