CJEU - C‑634/21 - SCHUFA Holding (Scoring)

From GDPRhub
CJEU - C‑634/21 SCHUFA Holding (Scoring)
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 22(1) GDPR
Article 22(2)(b) GDPR
§31 Bundesdatenschutzgesetz
Decided: 07.12.2023
Parties: Schufa
Case Number/Name: C‑634/21 SCHUFA Holding (Scoring)
European Case Law Identifier: ECLI:EU:C:2023:957
Reference from: VG Wiesbaden (Germany)
Language: 24 EU Languages
Original Source: AG Opinion
Judgement
Initial Contributor: n/a


The CJEU held a credit score is a decision for the purposes of Article 22(1) GDPR, where an action taken by a third party ‘draws strongly’ from it.

English Summary

Facts

A data subject was refused a loan after Schufa (the controller) had provided the data subject’s bank with a negative credit score. Schufa is a credit agency which provides third parties with information relating to individuals’ creditworthiness.

The data subject requested Schufa to provide them with information relating to the data stored and to erase incorrect entries relating to them. As well as, to provide them with a detailed account of the logic involved in the determination of their credit score, and the significance and consequences of the processing of their data. Schufa responded by only providing the applicant with their credit score and a vague outline of its credit-score calculation process, noting that they were unable to disclose a detailed account of the calculation process as this would violate commercial secrecy. Moreover, Schufa noted that it only provided third parties with information which they used to reach decisions, while Schufa itself was not the party to determine the decisions.

Following this, on 18 October 2018, the data subject filed a complaint against Schufa with the Hessian Commissioner for Data Protection (‘HBDI’), requesting that they order Schufa to disclose the logic involved in the determination of their credit score, and the significance and consequences of the processing of their data.

On 3 June 2020, the HBDI dismissed the complaint, holding that Schufa’s processing was compliant with domestic law.[1] The data subject then appealed to the Administrative Court of Wiesbaden, under Article 78(1) GDPR. The Court stayed the proceedings and referred two questions to the CJEU. Only the first question is of relevance, as the CJEU did not consider the second.

  1. Is a credit score issued by one party a decision for the purposes of Article 22(1) GDPR, where a third party draws strongly on that credit score to reach a decision?

Holding

The Court held that a credit score is a decision for the purposes of Article 22(1) GDPR, where a third party ‘draws strongly’ on it to reach a decision. Article 22(1) GDPR provides that ‘the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.’

In interpreting Article 22(1) GDPR, the Court held that it imposes three cumulative conditions for its application:[2]

  1. There must be a decision;
  2. The decision must be based solely on automated processing, including profiling;
  3. The decision must produce legal effects concerning the data subject, or similarly significantly affect them.

In relation to the fulfilment of these three conditions, the Court found that they can be met at different times and by different parties, noting that criterion (3) will be fulfilled,[3] where an action taken by a third party ‘draws strongly’ on a probability value issued by the controller.[4]

In reaching this conclusion, the Court held that ‘there would be a risk of circumventing Article 22 of the GDPR and, consequently, a lacuna in legal protection if a restrictive interpretation of that provision was retained, according to which the establishment of the probability value must only be considered as a preparatory act and only the act adopted by the third party can, where appropriate, be classified as a ‘decision’ within the meaning of Article 22(1) of that regulation.’[5]

Moreover, the Court addressed the relationship between Article 22(2)(b) GDPR and national law. Article 22(2)(b) GDPR provides that Article 22(1) GDPR does not apply if a decision is ‘authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests’.

The Court noted that it is for national courts to determine whether national law is compatible with Article 22(2)(b) GDPR. However, the Court emphasised that Member States cannot adopt regulations under Article 22(2)(b) if these disregard the principles under Article 5 and 6 GDPR and the safeguards under Article 22 GDPR.[6]

If a national court were to find that national law is incompatible with Article 22(2)(b) GDPR, then the general prohibition against automated decision-making under Article 22(1) GDPR would apply and the controller’s processing activities would be in violation of the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

  1. §31 of the Bundesdatenschutzgesetz.
  2. Para 43.
  3. The decision must produce a legal effect or similarly significantly affect the data subject.
  4. Para 73.
  5. Para 61.
  6. Para 68.