LG Traunstein - 6 O 2465/23: Difference between revisions
m (→Facts) |
No edit summary |
||
(2 intermediate revisions by 2 users not shown) | |||
Line 66: | Line 66: | ||
}} | }} | ||
A court held that [[Article 22 GDPR|Article 22 GDPR]] | A court held that [[Article 22 GDPR|Article 22 GDPR]] only applies to the calculation of a credit score by a credit rating agency if no additional information is used in the subsequent loan approval process by a natural person. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The controller is a credit | The controller is a credit rating agency, which provides information on the creditworthiness of individuals to its partners. This is done by calculating a credit score reflecting the probability of the person fulfilling credit-relevant contracts, based on collected information and past experience of the data subject. | ||
The data subject argued that the credit score calculated by the controller would have negative effects on them make the conclusion of contracts difficult for them. The data subject further argued that the credit scoring by the controller was in violation of [[Article 22 GDPR#1|Article 22(1) GDPR]]. | The data subject argued that the credit score calculated by the controller would have negative effects on them make the conclusion of contracts difficult for them. The data subject further argued that the credit scoring by the controller was in violation of [[Article 22 GDPR#1|Article 22(1) GDPR]]. | ||
Line 82: | Line 82: | ||
The court held that the controller’s assessment of the data subject’s credit worthiness by the controller did not violate [[Article 22 GDPR#1|Article 22(1) GDPR]]. | The court held that the controller’s assessment of the data subject’s credit worthiness by the controller did not violate [[Article 22 GDPR#1|Article 22(1) GDPR]]. | ||
The court held that a prerequisite for the applicability of [[Article 22 GDPR#1|Article 22(1) GDPR]] is that an automated decision has “legal affect” on the data subject, which could be the case if the conclusion of a contract is rejected. However, the court referred to case law of the CJEU and held that an external scoring by a credit rating agency only falls under [[Article 22 GDPR|Article 22]] when the lender draws strongly on that value. According to the court this would only be the case if no other information is recognisably used by a natural person in addition to the external credit score in the credit decision process. | The court held that a prerequisite for the applicability of [[Article 22 GDPR#1|Article 22(1) GDPR]] is that an automated decision has “legal affect” on the data subject, which could be the case if the conclusion of a contract is rejected. However, the court referred to case law of the CJEU (see [https://gdprhub.eu/index.php?title=CJEU_-_C%E2%80%91634/21_-_SCHUFA C-634/21 (Schufa)]) and held that an external scoring by a credit rating agency only falls under [[Article 22 GDPR|Article 22]] when the lender draws strongly on that value. According to the court this would only be the case if no other information is recognisably used by a natural person in addition to the external credit score in the credit decision process. | ||
The court held that it cannot be derived from [[Article 5 GDPR#2|Article 5(2) GDPR]] that the burden of proof lies on controllers for all claims under the GDPR. The court stated that this only concerns the requirements for the lawfulness of processing that lie within the controller’s sphere of responsibility. Therefore, the court asked the data subject to demonstrate that the controller violated [[Article 22 GDPR#1|Article 22(1) GDPR]]. | The court held that it cannot be derived from [[Article 5 GDPR#2|Article 5(2) GDPR]] that the burden of proof lies on controllers for all claims under the GDPR. The court stated that this only concerns the requirements for the lawfulness of processing that lie within the controller’s sphere of responsibility. Therefore, the court asked the data subject to demonstrate that the controller violated [[Article 22 GDPR#1|Article 22(1) GDPR]]. | ||
Line 94: | Line 94: | ||
The court also held that the data subject had no claim for damages under [[Article 82 GDPR]], as the controller did not violate the GDPR in calculating the credit scores. The data subject could also not demonstrate it suffered any specific damage as a result of the information provided by the controller. | The court also held that the data subject had no claim for damages under [[Article 82 GDPR]], as the controller did not violate the GDPR in calculating the credit scores. The data subject could also not demonstrate it suffered any specific damage as a result of the information provided by the controller. | ||
The court further held that the access request of the data subject had been fulfilled by the controller. The controller provided sufficient information about the data stored about the data subject by sending a copy of the data. According to the | The court further held that the access request of the data subject had been fulfilled by the controller. The controller provided sufficient information about the data stored about the data subject by sending a copy of the data. According to the court [[Article 15 GDPR#1h|Article 15(1)(h) GDPR]] is only applicable in cases of automatic decision making in accordance with [[Article 22 GDPR|Article 22 GDPR]]. Therefore, there is no further claim to information about the specific calculation method used for scoring, i.e. the algorithm behind it. Also, the court held that the controller could invoke its right to protect its business secrets under [[Article 15 GDPR#4|Article 15(4) GDPR]]. | ||
Thus, the court dismissed the case. | Thus, the court dismissed the case. | ||
== Comment == | == Comment == | ||
Although the Regional Court Traunstein takes the recent CJEU decision [https://gdprhub.eu/index.php?title=CJEU_-_C%E2%80%91634/21_-_SCHUFA C-634/21 (Schufa)] into account when discussing the applicability of [[Article 22 GDPR#1|Article 22(1) GDPR]] to credit scoring by a credit rating agency, the CJEU clearly stated that [[Article 22 GDPR#1|Article 22(1) GDPR]] applies when a third party “draws strongly” on the credit score to reach a decision (see [https://curia.europa.eu/juris/document/document.jsf?text=&docid=280426&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=13737979 para 75]). The Regional Court Traunstein seems to interpret the phrase “draws strongly on” too narrowly when deeming that [[Article 22 GDPR|Article 22(1) GDPR]] is not applicable as soon as a natural person recognisably considers any other information in the lending process. Such a narrow interpretation cannot be inferred from the CJEU case law. | |||
In addition, the Regional Court Traunstein shifts the burden of proof for the lawfulness of the calculation of credit ratings to the data subjects by demanding that they proof that the calculations fall under [[Article 22 GDPR#1|Article 22(1) GDPR]]. In fact, the controller is responsible to demonstrate that the processing is carried out in accordance with the GDPR (see [https://gdprhub.eu/index.php?title=CJEU_-_C%E2%80%91340/21_-_Natsionalna_agentsia_za_prihodite CJEU C-340/21], § 51 et seqq). [[Article 24 GDPR]] clearly states that the controller needs to be able “to demonstrate that processing is performed in accordance with this Regulation”. This is not limited to the compliance with the principles under [[Article 5 GDPR]]. | |||
== Further Resources == | == Further Resources == |
Latest revision as of 12:43, 4 July 2024
LG Traunstein - 6 O 2465/23 | |
---|---|
Court: | LG Traunstein (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 5(2) GDPR Article 15(1)(h) GDPR Article 15(4) GDPR Article 22(1) GDPR |
Decided: | 22.05.2024 |
Published: | 19.06.2024 |
Parties: | |
National Case Number/Name: | 6 O 2465/23 |
European Case Law Identifier: | |
Appeal from: | |
Appeal to: | |
Original Language(s): | German |
Original Source: | Bayern Recht (in German) |
Initial Contributor: | ec |
A court held that Article 22 GDPR only applies to the calculation of a credit score by a credit rating agency if no additional information is used in the subsequent loan approval process by a natural person.
English Summary
Facts
The controller is a credit rating agency, which provides information on the creditworthiness of individuals to its partners. This is done by calculating a credit score reflecting the probability of the person fulfilling credit-relevant contracts, based on collected information and past experience of the data subject.
The data subject argued that the credit score calculated by the controller would have negative effects on them make the conclusion of contracts difficult for them. The data subject further argued that the credit scoring by the controller was in violation of Article 22(1) GDPR.
The data subject therefore claimed injunctive relief at the Regional Court Traunstein (“Landsgericht Traunstein”). The data subject also claimed non-material damages of at least € 5,000 from the controller due to unlawful and discriminatory processing of their personal data when calculating the credit score. This included using their address, age and gender for calculating the credit score by the controller. Furthermore, the data subject argued that their right of access under Article 15(1)(h) GDPR was not fulfilled. The data subject requested the court to order the controller to provide information on the specific manner the credit score was calculated, including the calculation method used, the personal characteristics of the data subject used for the calculation, the various risk classes and how they are categorized, the weighting of categories of criteria and of individual criteria in relation to each other that most strongly influence the final credit score and more.
The controller argued that besides providing the credit score to its partners, it also provides the information on which the score calculation is based. The data subject was able to conclude various credit-relevant contracts in the recent past even after the controller provided credit scores to the potential contractual partners of the data subject. The controller argued that the data subject’s claims were generalised and unsubstantiated, as they could not name a specific contract that failed due to the credit score provided by the controller. Regarding the data subject’s claim to access, the controller argued that the data subject had no legal claim to the allocation of certain score values or the calculation method, as this was a business secret.
Holding
The court held that the controller’s assessment of the data subject’s credit worthiness by the controller did not violate Article 22(1) GDPR.
The court held that a prerequisite for the applicability of Article 22(1) GDPR is that an automated decision has “legal affect” on the data subject, which could be the case if the conclusion of a contract is rejected. However, the court referred to case law of the CJEU (see C-634/21 (Schufa)) and held that an external scoring by a credit rating agency only falls under Article 22 when the lender draws strongly on that value. According to the court this would only be the case if no other information is recognisably used by a natural person in addition to the external credit score in the credit decision process.
The court held that it cannot be derived from Article 5(2) GDPR that the burden of proof lies on controllers for all claims under the GDPR. The court stated that this only concerns the requirements for the lawfulness of processing that lie within the controller’s sphere of responsibility. Therefore, the court asked the data subject to demonstrate that the controller violated Article 22(1) GDPR.
The court then concluded that the data subject was not able to come up with a single decision by a potential contractual partner regarding the conclusion, execution and termination of a contractual relationship in which a potential contractual partner drew strongly on the credit score. The controller on the other hand did submit proof that the data subject was able to conclude contracts in the recent past, such as the opening of a bank account and a contract for a credit card with partners of the controller.
During the oral hearing before the court, the data subject was also unable to cite a negative decision by a potential partner in which a score calculated by the controller was allegedly taken into account, despite repeated requests by the court. Therefore, the data subject was unable to demonstrate that the controller violated Article 22(1) GDPR.
The court also rejected the data subject’s argument that discrimination against them took place. The court held that the age or gender of the data subject was not taken into account calculating the credit scores of the data subject. The controller also did not use addresses of the data subject for the calculation of the credit scores. The court therefore dismissed the application for injunctive relief.
The court also held that the data subject had no claim for damages under Article 82 GDPR, as the controller did not violate the GDPR in calculating the credit scores. The data subject could also not demonstrate it suffered any specific damage as a result of the information provided by the controller.
The court further held that the access request of the data subject had been fulfilled by the controller. The controller provided sufficient information about the data stored about the data subject by sending a copy of the data. According to the court Article 15(1)(h) GDPR is only applicable in cases of automatic decision making in accordance with Article 22 GDPR. Therefore, there is no further claim to information about the specific calculation method used for scoring, i.e. the algorithm behind it. Also, the court held that the controller could invoke its right to protect its business secrets under Article 15(4) GDPR.
Thus, the court dismissed the case.
Comment
Although the Regional Court Traunstein takes the recent CJEU decision C-634/21 (Schufa) into account when discussing the applicability of Article 22(1) GDPR to credit scoring by a credit rating agency, the CJEU clearly stated that Article 22(1) GDPR applies when a third party “draws strongly” on the credit score to reach a decision (see para 75). The Regional Court Traunstein seems to interpret the phrase “draws strongly on” too narrowly when deeming that Article 22(1) GDPR is not applicable as soon as a natural person recognisably considers any other information in the lending process. Such a narrow interpretation cannot be inferred from the CJEU case law.
In addition, the Regional Court Traunstein shifts the burden of proof for the lawfulness of the calculation of credit ratings to the data subjects by demanding that they proof that the calculations fall under Article 22(1) GDPR. In fact, the controller is responsible to demonstrate that the processing is carried out in accordance with the GDPR (see CJEU C-340/21, § 51 et seqq). Article 24 GDPR clearly states that the controller needs to be able “to demonstrate that processing is performed in accordance with this Regulation”. This is not limited to the compliance with the principles under Article 5 GDPR.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Title: No violation of the General Data Protection Regulation through credit rating Chains of standards: GDPR Art. 5, Art. 15, Art. 17, Art. 22, Art. 82 AGG § 19 Para. 1, § 21 KWG § 18a BGB § 249, § 505a, § 823, § 1004 Principles: 1. If the person concerned who files a lawsuit against a credit scoring cannot specifically name a single decision by a potential contractual partner regarding the conclusion, implementation and termination of a contractual relationship in which the score value was taken into account, a violation of Art. 22 GDPR is not demonstrated. (Rn. 24 - 30) (editorial guideline) 2. If the age or gender of the person concerned is not taken into account in a scoring process to assess the creditworthiness of a person, unlawful discrimination on the grounds of age or gender cannot be established. (Rn. 31) (editorial guideline) Keywords: Admissibility, application for a declaratory judgment, Art. 22 GDPR, discrimination, claim for damages, right to information, claim for injunctive relief Source: GRUR-RS 2024, 12349 Tenor 1. The action is dismissed. 2. The plaintiff must bear the costs of the legal dispute. 3. The judgment is provisionally enforceable against security in the amount of 110% of the amount to be enforced. 4. The value in dispute is set at €6,000.00. Facts 1 The plaintiff asserts various claims as a result of alleged violations of data protection law by the defendant. 2 The defendant is a joint institution of the lending industry in Germany. The defendant's task is to support its contractual partners with information in assessing the creditworthiness of potential or existing customers of credit-related transactions. For this purpose, the defendant maintains a database with over 68 million data sets on people who are economically active in Germany. The defendant is a private company and not a government agency. The defendant's contractual partners regularly send the defendant relevant data from business relationships with their customers (such as information about loans that have been fulfilled reliably or unreliably). The defendant stores the data sent to it in order to be able to provide information to its contractual partners. However, the defendant only provides information if the contractual partners assert a legitimate interest, such as when a loan application is submitted. With the help of the defendant's information and other information, the contractual partner can determine the statistical risk of payment defaults for the specific credit-related transaction. Based on the electronic data stored by the defendant on a person, the defendant can calculate a so-called score value for that person. When scoring, the defendant calculates a forecast of future events or behavior of the person in relation to the fulfillment of credit-relevant contracts based on collected information and past experience. On this basis, the defendant calculates a probability value with which the person fulfills credit-relevant contracts. The defendant has since blocked the plaintiff's data for disclosure as a precautionary measure. 3 The plaintiff argues that the score values provided by the defendant on the plaintiff would have "fatal" and generally negative effects on the plaintiff and the conclusion of contracts. This means that the plaintiff is practically considered credit-unworthy. It is of the legal opinion that the scoring process carried out by the defendant is in clear violation of Art. 22 Para. 1 GDPR and cannot be justified. In fact, a negative score is usually accompanied by the rejection of subsequent contracts sought. In addition, the plaintiff is of the legal opinion that, due to the unlawful data processing regularly carried out by the defendant, it has a claim under §§ 823 para. 1, 1004 para. 1 sentence 1, 249 sentence 1 BGB to oblige the defendant to increase the score values to the ideal ranges set by the defendant due to the culpably unlawful scoring, so that the unlawful scoring has no further negative effects on the plaintiff's life (claim II). The so-called basic score should be set at a value of 97.22% or higher, the industry score value at 9999, rating level A, and the orientation value at an ideal range of 100-199. With regard to claim III., the defendant should be obliged to transmit the score values relating to the plaintiff at the corresponding ideal values in the future when enquiries are made. It is of the legal opinion that it has a claim based on a violation of the general right of personality through the non-transparent automated processing of sensitive personal data of the plaintiff. The plaintiff bases the injunction application IV on Section 1004 Paragraph 1 Sentence 2 of the German Civil Code and the violation of the plaintiff's general right of personality. 4 The plaintiff also asserts a claim for non-material damages of at least €5,000 against the defendant (claim V). It based this on the defendant's, in its view, often unlawful and discriminatory creation of credit ratings, as this illegally prevented it from concluding numerous contracts. With regard to claim VI, the plaintiff is of the opinion that its right to information under Article 15 Paragraph 1 h of the GDPR has not yet been adequately fulfilled. There is also a further claim for an injunction (claim VII). 5 The plaintiff requests, I. It is determined that the creation of the plaintiff's credit score, i.e. the so-called "basic score values", the so-called "industry score values" and the so-called "orientation values", based on a decision by the defendant based exclusively on automated processing is unlawful; II. The defendant is ordered to increase the plaintiff's basic score value to a value of 97.22% and all industry score values to 9999 and the orientation value to a value between 199 and 100; III. The defendant is ordered to transmit a value of at least 97.22% for the basic score value, all industry score values exclusively to 9999 and a value between 199 and 100 for the orientation value each time the S. score values are queried for the plaintiff; IV. The defendant is ordered to refrain from communicating to other persons or companies all scoring values created by the defendant concerning the plaintiff, including the so-called basic score values, the so-called industry score values and the so-called orientation values, with regard to the basic score value below 97.22%, with regard to all industry score values below 9999 (ideal value) and with regard to the orientation value above 199, on pain of a fine of up to €250,000.00 for each case of infringement or, if this cannot be collected, a fine or detention of up to six months, to be enforced against one of the members of the defendant's board of directors; V. The defendant is ordered to pay the plaintiff reasonable compensation, the amount of which is left to the court's discretion, but at least €5,000.00 plus interest of 5 percentage points above the base interest rate since the action was brought; VI. The defendant is ordered to provide information on the specific way in which the plaintiff's credit score values, i.e. the base score value, all industry score values and the orientation value, were calculated, in particular in a comprehensible and verifiable manner a. the calculation method used for this, b. the calculation parameters used for this, c. the personal characteristics of the plaintiff used for the calculation, d. the risk classes into which the respective score values are classified and their precise breakdown and design, e. the weighting of categories of criteria and the individual criteria in relation to each other that have the greatest influence on the probability value, f. the significance of the specific probability value, g. to present the probability values created and their recipients; VII. The defendant is ordered, on pain of a fine of up to €250,000.00 for each case of infringement or, if this cannot be collected, a fine or detention of up to six months, to be enforced against one of the members of the defendant's board of directors, to refrain from including the following characteristics in the creation of the S. score values relating to the plaintiff, this includes the so-called basic score values, the so-called industry score values and the so-called orientation values: a. special categories of personal data within the meaning of Article 9(1) of Regulation (EU) 2016/679, b. the name of the plaintiff or personal data from their use of social networks, c. Information about incoming and outgoing payments to and from bank accounts, which are not related to the plaintiff's payment behavior, in particular data from the neighborhood; VIII. The defendant is ordered to pay the plaintiff out-of-court legal costs of €1,295.43 plus interest thereon of 5 percentage points above the base interest rate since the action was filed. 6 The defendant requests, 7 The defendant states that it usually provides its contractual partners with information on the information underlying the score calculation along with a score value. The plaintiff has demonstrably been able to conclude various credit-related contracts in the recent past after the defendants provided their respective contractual partners with score values on the plaintiff at their request. The plaintiff's blanket and unsubstantiated statement does not name a specific failed or difficult conclusion of a contract by the plaintiff. The decision on whether to conclude a contract relevant to creditworthiness would be made by the contracting parties or the readers of a credit report prepared by the defendant in each individual case after considering all the circumstances. The information provided by the defendant would only help to check the plaintiff's creditworthiness. 8 The defendant does not store any score values for information purposes. It recalculates the score values for information to be provided to its contractual partners in individual cases based on a specific request from its contractual partners on a daily basis. To ensure a high degree of transparency towards the person concerned, the defendant also regularly calculates a so-called basic score (for data information pursuant to Art. 15 GDPR) or orientation value (as additional information for so-called credit reports intended for submission to third parties). These basic scores or orientation values are calculated exclusively for the person concerned and are only provided to them. No information is provided to third parties. 9 With regard to claims II-IV, the defendant is of the opinion that the plaintiff has no legal right to be assigned certain score values or to receive corresponding information. Since the scoring process was carried out lawfully by the defendant, there is no unlawful data processing within the meaning of Art. 82 Para. 2 GDPR. Further grounds for claims would already fail due to the priority of application of the GDPR. 10 With regard to the request for information VI, the defendant is of the opinion that the scope of application of Art. 15 Para. 1 h GDPR has not yet been opened and that any claim is already fulfilled by the data copy dated June 2, 2023, among other things. (Appendix K1) The plaintiff was informed for the first time on November 20, 2019 by the defendant in general terms about the defendant's data processing and its scoring procedure in accordance with the provisions of the GDPR. The defendant has thus already provided the plaintiff with all the information owed under Art. 15 GDPR. With regard to the underlying calculation procedure, the defendant can rely on its trade secret. 11 The claim asserted by the plaintiff to refrain from including certain information in the defendant's scoring (request VII) is unspecified in content. The plaintiff has not presented any case in which the defendant used these data categories to calculate a score value, so that there is no risk of repetition. 12 To supplement the facts of the case, reference is also made to the parties' written submissions and attachments. 13 The court heard the plaintiff for information at the oral hearing on April 24, 2024. Reference is made to the minutes of the hearing. Reasons for the decision 14 The admissible action is unfounded. 15 The action is admissible. 16 With a value in dispute of €6,000, the Traunstein Regional Court has substantive jurisdiction under Sections 23 No. 1, 71 Para. 1 GVG and local jurisdiction under Section 44 Para. 1 Sentence 2 BDSG, since the plaintiff has her usual place of residence in the regional court district. 17 The application for a declaratory judgment pursuant to Section 256 Paragraph 1 of the Code of Civil Procedure is also admissible with regard to claim 1, since the plaintiff at least argues that she is threatened with further damage as a result of the alleged unlawful act and that the development of damage is therefore not yet complete. 18 The action is, however, completely unfounded, since the plaintiff's request cannot be supported by any legal basis. 19 1. The assessment of the plaintiff's creditworthiness carried out by the defendant in the specific manner does not violate Art. 22 Paragraph 1 of the GDPR or any other provisions of national law. The plaintiff has not specifically demonstrated a violation of the prohibition of discrimination under Section 19 Paragraph 1 No. 1 of the General Equal Treatment Act. Application for a declaratory judgment I is therefore unfounded. 20 a) The prerequisite for the applicability of Article 22 (1) GDPR is, first of all, that a person is "subjected to a decision based exclusively on automated processing [...] which produces legal effects concerning him or her or similarly affects him or her". What is to be regarded as a "legal effect" is controversial (Buck-Heeb BKR 2023, 137 (140) mwN., Taeger/Gabel/DSGVO/BDSG/TTDSG/Taeger, 2022, GDPR Art. 22 para. 45 ff.). According to one view, "only legally advantageous transactions should be excluded from the scope of application" and the prohibition norm should not apply because this is not covered by the protective purpose of the norm. According to a more far-reaching view, the rejection of a contract due to a lack of change in the status quo should not have any "legal effect" on the person concerned, unless there is an obligation to contract, such as under Section 31 Paragraph 1 Sentence 1 of the ZKG. However, the rejection of a contract can have a "similar impairment". As a result, if a contract is rejected, Art. 22 Paragraph 1 of the GDPR will apply. The negative decision must be based "exclusively on automated processing - including profiling" to be inadmissible. This is not the case if the credit rating is reviewed in terms of content by a natural person with decision-making authority who makes a decision within the scope of his or her discretion, taking the score into account. The decision-maker must make an "evaluative selection" and have the authority to do so. If necessary, the person authorized to make a decision must obtain further information before making his or her decision (Taeger: External scoring as an "automated decision in individual cases" on the granting of credit, BKR 2024, 41). 21 In its judgment of December 7, 2023 - C-634/21, the ECJ had to assess the question of whether the calculation of a credit rating (score) for a company that is considered negative and leads to the rejection of a contract with a potential customer constitutes an automated decision in individual cases that is inadmissible under Art. 22 (1) GDPR. According to the order for reference of the VG Wiesbaden (VG Wiesbaden, order of October 1, 2021 - 6 K 788/20, BKR 2021, 782, beck-online), it should be clarified whether "the activity of credit reporting agencies to create score values on data subjects and to transmit these without further recommendation or comment to third parties (e.g. banks), who then enter into contractual relationships with the data subject with significant consideration of this score value or refrain from doing so, falls within the scope of Art. 22 (1) GDPR". 22 In broad agreement with the Advocate General's opinion, the ECJ answered the first question in the order for reference by holding that "Art. 22 (1) GDPR is to be interpreted as meaning that an ‘automated decision in an individual case’ […] exists if a probability value based on personal data relating to a person is automatically created by a credit agency with regard to that person’s ability to meet future payment obligations, provided that this probability value is crucial in determining whether a third party to whom this probability value is transmitted establishes, implements or terminates a contractual relationship with that person.” The ECJ deals in detail with the not legally defined term ‘decision’. Because Recital 71 states that no one should be subjected to a decision evaluating personal aspects concerning them that is based exclusively on automated processing, and the Advocate General has shown that the term can include several actions that can affect the person concerned in many ways, it can be interpreted broadly enough to also include the calculation of creditworthiness by scoring. Consequently, the decision must also include the "result of the calculation of a person's ability to meet future payment obligations in the form of a probability value". This means that Art. 22 GDPR is applicable to the defendant's external scoring. However, the prerequisite remains that the score is a decisive factor in the lender's decision, so that it is not the creation of the score value in itself, as stated by the plaintiff, that violates Art. 22 GDPR, but only if no other information is clearly used by a natural person in addition to the external score in the credit decision process. 23 It must also be taken into account that a credit institution is obliged under supervisory law according to Section 18a Para. 1 of the German Banking Act (KWG) and every lender is even obliged under civil law according to Section 505a of the German Civil Code (BGB) to check the consumer's creditworthiness before concluding a consumer loan agreement. 24 In principle, the burden of presentation and proof with regard to the facts favorable to the plaintiff lies with the plaintiff, which the Federal Court of Justice has clarified with regard to Art. 17 Para. 1 GDPR (BGH, decision of July 27, 2020 - VI ZR 476/18, MMR 2021, 239). The Stuttgart Higher Regional Court, which the court expressly agrees with, states: "Contrary to the plaintiff's view, it is not the defendant's responsibility to demonstrate an overriding interest in storage over his interests. Such a burden of presentation and proof for all claims derived from the GDPR does not arise from Art. 5 Para. 2 GDPR, according to which the controller is responsible for compliance with the principles set out in Art. 5 Para. 1 GDPR and must be able to prove compliance. This only concerns the conditions for the admissibility of the processing that lie within his sphere. Rather, national law applies to the burden of explanation and proof applicable to individual claims of those affected (see already in detail Senate, judgment of March 31, 2021 - 9 U 34/21, cited according to juris, para. 44 et seq.). According to this, the interests to be taken into account in the specific balancing of interests to be carried out in accordance with Art. 6 (1) f) GDPR must be presented by the person affected himself" (OLG Stuttgart judgment of August 10, 2022 - 9 U 24/22, BeckRS 2022, 20818 para. 33, beck-online) 25 The plaintiff does not specifically name a single decision by a potential contractual partner regarding the conclusion, implementation and termination of a contractual relationship with the plaintiff in which a score value calculated by the defendant was taken into account. 26 The defendant, on the other hand, has specifically stated that the plaintiff herself has been able to conclude credit-relevant contracts in the recent past, such as opening a checking account on May 25, 2023 with ...GmbH or a contract for a credit card since September 2022 with N. Bank Ltd. These contracts were reported to the defendant by her contractual partners (Appendix B1). 27 The plaintiff also only made a general claim that the defendant had disproportionately impaired her lifestyle. 28 During her informative hearing at the oral hearing on April 25, 2024, the plaintiff was also unable, despite repeated inquiries, to name a negative decision by a potential contractual partner in which a score value calculated by the defendant was said to have been taken into account. Rather, she initially stated that her doctors would demand advance payments due to her poor creditworthiness, although doctors are not generally contractual partners of the defendant. She then went on to talk about cell phone contracts and car financing without giving any details. The only concrete example that was presented in writing is the rejection of financing by consors finanz, ... (Appendix K 12a). When asked by the court, the plaintiff initially gave an evasive answer, saying that she had not previously had an account with the bank. As the hearing continued and after several specific questions were asked, she finally admitted that she had previously had a credit card with this bank and, when asked further, she admitted that the bank had canceled the credit card account due to late payment because she had not paid the interest. From the court's point of view, this does not show that the rejection of this specific loan application was based primarily on the defendant's transmission of a score value. Rather, from the court's point of view, it is likely that the fact that the defendant was already known to the potential bank as an unreliable payer in the past also contributed significantly to the decision. 29 In response to further specific questions, the plaintiff finally stated that she had not applied for an apartment in the past, although she had previously stated that rental contracts had also been rejected due to negative information from the defendant. In response to further questions as to whether there were any specific disadvantages due to the S. scores, the plaintiff's representative referred to the aforementioned Appendix K 12a. Despite the court's corresponding advice, the plaintiff was unable to name any specific contracts in the written submission of May 8, 2024 following the oral hearing in which a score from the defendant was decisive for a negative contract decision. 30 The plaintiff has therefore not been able to demonstrate that the defendant violated Art. 22 Para. 1 DSGV. 31 b) There is no specific evidence of discrimination against the plaintiff. No scoring method was used for the plaintiff that specifically took the plaintiff's age or gender into account. There is no inadmissible discrimination on the basis of age or gender. The defendant also did not use addresses to calculate score values for the plaintiff in the last twelve months before the data information provided to it on June 2, 2023. This is already clear from the table contained in Appendix K 1 ("Address data: n/a." "n/a" - "not used"). 32 The plaintiff's application for a declaratory judgment is therefore unfounded. 33 2. With regard to claims II to IV, there is no claim under Sections 823 Para. 1, 1004 Para. 1 Sentence 1, 249 Sentence 1 of the German Civil Code to increase the score values in the range of ideal values and to provide the defendant's contractual partners with corresponding information. The application for an injunction based on this cannot therefore be successful either. First of all, the provisions relied on by the plaintiff are not applicable in view of the priority of application of the data protection law that has been finally standardized throughout the Union (BGH, judgment of July 27, 2020 - VI ZR 405/18, ZD 2020, 634, beck-online, para. 64 with further evidence). As already explained, the defendant's "scoring" was also not unlawful. In addition, the plaintiff contradicts itself with its applications. On the one hand, in claim I, it is of the opinion that the disclosure by the defendant is unlawful; on the other hand, in claims II-IV, it requests future disclosure with a very good credit rating. The plaintiff is thus seeking a conviction of the defendant for providing its contractual partners with information that is most likely incorrect, although it actually believes that information is generally unlawful. However, there is no right to the defendant providing specific information - and certainly not to the defendant providing incorrect information (BGH, judgment of January 28, 2014 - VI ZR 156/14, BKR 2014, 193, beck-online). There is only a right to the correction or deletion of incorrect information on which the score calculation is based. However, this is not presented by the plaintiff. 34 3. The plaintiff has no claim to damages under Art. 82 GDPR or Section 21 AGG or Section 823 Para. 1 BGB in conjunction with Section 249 Para. 2 Sentence 1 BGB in the amount of at least €5,000. There is no claim to damages under Art. 82 GDPR because the defendant did not violate any data protection regulations in its scoring process. In any case, the plaintiff has not demonstrated that she suffered any specific damage as a result of the defendant providing information. The plaintiff has the burden of explanation and proof in this regard. The plaintiff bases its claim for damages on economic disadvantages due to the rejection of contracts as a result of the commission by the defendant. As an example, in its written submission of March 12, 2024, the plaintiff again cites the rejection of the loan application by ... S.A. (Appendix K 12 a). Despite the corresponding announcement and although this topic was discussed in detail in the oral hearing, the plaintiff has not presented any further rejection decisions in which the information provided by the defendant was decisive for the decision. The court is convinced that the loan rejection submitted as Appendix K 12 cannot, as already stated, be based essentially on corresponding information from the defendant, but rather on the bank's negative experiences with the plaintiff with regard to its ability to pay. 35 Other grounds for claims are not possible due to the priority of data protection regulations (BGH, judgment of July 27, 2020, case number VI ZR 405/18, BeckRS 2020, 23312, para. 64). 36 4. The plaintiff has no further right to information about the defendant's scoring process (claim Vi), as any claim has in any case been fulfilled. The right to information under Art. 15 paragraph 1 h GDPR only concerns cases of automated decision-making in accordance with Art. 22 paragraphs 1 and 4 GDPR. As already explained, however, the plaintiff has not stated that she is subject to such exclusively automated decision-making that has legal effects on her or significantly affects her in a similar way. The defendant provided sufficient information about the data stored by it about the plaintiff by sending the data copy dated June 2, 2023 (Appendix K1). According to the wording of Art. 15 (1) h GDPR, there is no further right to information about the specific calculation method for scoring, i.e. the algorithm behind it. In this regard, the defendant can legitimately rely on its trade secret (Art. 15 (IV) GDPR). 37 5. There is also no right to refrain from including certain information in the defendant's scoring (claim VII). The plaintiff has not presented a specific case in which the defendant used these data categories to calculate a score value for her. This means that there is no risk of repetition required for the injunction (BGH, judgment of December 18, 2015 - V ZR 160/14, NJW 2016, 863). The defendant has substantively disputed the plaintiff's general statement without reference to a specific case. The reference to press reports or other publications without reference to the plaintiff is not sufficient to meet the plaintiff's burden of explanation and proof for the asserted claim. 38 6. In the absence of a main claim, the plaintiff has no claim to reimbursement of the asserted out-of-court legal costs either under Section 823 of the German Civil Code or on the grounds of delay. 39 The decision on costs is based on Section 91 Paragraph 1 of the Code of Civil Procedure. 40 The decision on provisional enforceability has its legal basis in Section 709 Sentence 1 and 2 of the Code of Civil Procedure. 41 In contrast to the information in the statement of claim, the court estimated the value in dispute in accordance with Sections 39, 40, 43, 48 (1), 2 GKG in conjunction with Section 3 ZPO based on the plaintiff's economic interest in the legal dispute. Since the claim does not provide any specific information on this, with the exception of the claimed amount of €5,000 in compensation for pain and suffering, the court estimates this interest at a maximum of €6,000, which was already discussed in agreement with the party representatives at the oral hearing on April 20, 2024.