CJEU - Joined Cases C‑26/22 and C‑64/22 - SCHUFA
CJEU - Joined Cases C‑26/22 and C‑64/22 SCHUFA | |
---|---|
Court: | CJEU |
Jurisdiction: | European Union |
Relevant Law: | Article 6(1) GDPR Article 17(1)(d) GDPR Article 40 GDPR Article 77(1) GDPR Article 78(1) GDPR Article 79 Regulation(EU) 2015/848 on insolvency proceedings Article 7 Charter of Fundamental Rights of the European Union Article 8 Charter of Fundamental Rights of the European Union § 3 Verordnung zu öffentlichen Bekanntmachungen in Insolvenzverfahren im Internet (InsBekV) § 9(1) Insolvenzordnung |
Decided: | 07.12.2023 |
Parties: | UF (data subject and claimant before national court) AB (data subject and claimant before national court) Land Hessen (respondent before national court) |
Case Number/Name: | Joined Cases C‑26/22 and C‑64/22 SCHUFA |
European Case Law Identifier: | ECLI:EU:C:2023:958 |
Reference from: | VG Wiesbaden (Germany) 6 K 441/21.WI |
Language: | 24 EU Languages |
Original Source: | AG Opinion Judgement |
Initial Contributor: | n/a |
The CJEU held that Article 78(1) GDPR allows for full judicial review of DPA decisions and that credit information agencies are not allowed to process certain data in connection with insolvency proceedings beyond their availability in public databases.
English Summary
Facts
The data subjects UF and AB underwent insolvency proceeding in Germany and were granted an early discharge from remaining debts by court decisions of 17 December 2020 and 23 March 2021 respectively. In accordance with § 9(1) Insolvenzordnung (Insolvency Code) and § 3(1)(2) InsBekV (Regulation on public notifications in insolvency proceedings on the internet), the official publication of these decisions on the debt discharges in the German insolvency register was erased after 6 months.
SCHUFA Holding AG (SCHUFA), a German credit information agency had recorded these decisions on debt discharges in their own data bases and intended to store it for three years after registration, in accordance with a code of conduct under Article 40 GDPR approved by the competent DPA.
UF and AB requested SCHUFA to erase the (no longer public) decisions on the debt discharges. SCHUFA refused and UF and AB lodged complaints with the Hessian DPA (HBDI) under Article 77 GDPR. The HBDI dismissed the complaints, finding SCHUFA's processing lawful.
UF and AB each brought an action under Article 78 GDPR against the HBDI's decisions before the Verwaltungsgericht Wiesbaden (VG Wiesbaden), arguing that the HBDI was obliged to take measures in respect of SCHUFA to enforce the erasure of the entries concerning them.
The HBDI requested the dismissal of the actions, arguing that Article 77(1) GDPR constitutes a mere "right of petition". Hence the VG Wiesbaden could only review whether the HBDI handled the complaints and informed the complainants of their progress and outcome but not review the substantive correctness of the decisions.
On UF's and AB's requests for erasure, the HBDI argued that SCHUFA could store the decisions on debt discharges for as long as is necessary for the purpose of processing (i.e. assessing the creditworthiness of UF and AB) and that the storage period of three years after entry in the file according to the code of conduct should apply.
The VG Wiesbaden doubted the HBDI’s line of argument and referred the following questions to the CJEU under Article 267 TFEU:
(1) Is Article 77(1) of [the GDPR], read in conjunction with Article 78(1) thereof, to be understood as meaning that the outcome that the supervisory authority reaches and notifies to the data subject:
– has the character of a decision on a petition? This would mean that judicial review of a decision on a complaint taken by a supervisory authority in accordance with Article 78(1) of that regulation is, in principle, limited to the question of whether the authority has handled the complaint, investigated the subject matter of the complaint to the extent appropriate and informed the complainant of the outcome of the investigation,
or
– is to be understood as a decision on the merits taken by a public authority? This would mean that a decision on a complaint taken by a supervisory authority would be subject to a full substantive review by the court in accordance with Article 78(1) of that regulation, whereby, in individual cases – for example where discretion is reduced to zero – the supervisory authority may also be obliged by the court to take a specific measure within the meaning of Article 58 of that same regulation?
(2) Is the storage of data at a private credit information agency, where personal data from a public register, such as the “national databases” within the meaning of Article 79(4) and (5) of Regulation [2015/848] are stored without a specific reason in order to be able to provide information in the event of a request, compatible with Articles 7 and 8 of the [Charter]?
(3) (a) Are private databases (in particular databases of a credit information agency) which exist in parallel with, and are set up in addition to, the State databases and in which the data from the latter (in casu, insolvency announcements) are stored for longer than the period provided for within the narrow framework of Regulation 2015/848, read in conjunction with the national law, permissible in principle?
(b) If Question 3a is answered in the affirmative, does it follow from the “right to be forgotten” under Article 17(1)(d) of [the GDPR] that such data must be deleted where the processing period provided for in respect of the public register has expired?
(4) In so far as point (f) of [the first subparagraph of] Article 6(1) of [the GDPR] enters into consideration as the sole legal basis for the storage of data at private credit information agencies with regard to data also stored in public registers, is a credit information agency already to be regarded as pursuing a legitimate interest in the case where it imports data from the public register without a specific reason so that those data are then available in the event of a request?
(5) Is it permissible for codes of conduct which have been approved by the supervisory authorities in accordance with Article 40 of [the GDPR], and which provide for time limits for review and erasure that exceed the retention periods for public registers, to suspend the balancing of interests prescribed under point (f) of [the first subparagraph of] Article 6(1) of that regulation?
Advocate General Opinion
Regarding question 1, AG Pikamäe suggested to interpret Article 78(1) GDPR as meaning that under that provision a legally binding decision of a supervisory authority is subject to a full substantive judicial review. The AG emphasized that a complaint procedure under Article 77 GDPR cannot be viewed in the same way as a petition.
As for the questions 2 to 5, the AG suggested (i) to interpret Article 6(1)(f) GDPR meaning that it precludes the storage by a private credit information agency of personal data from a public register on insolvency proceedings for a period beyond that for which the data are stored in the public register, (ii) to interpret Article 17(1)(d) GDPR as meaning that the data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where those data have been unlawfully processed in accordance with Article 6(1) GDPR and (iii) to interpret Article 17(1)(c) GDPR as meaning that the data subject has, in principle, the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where he or she objects to the processing pursuant to Article 21(1) GDPR. It is for the referring court to examine if, exceptionally, there are overriding legitimate grounds for the processing.
Holding
The CJEU followed the AG's opinion almost entirely.
On question 1, the CJEU held that under Article 78(1) GDPR a court reviewing a DPA decision in a complaint procedure under Article 77 GDPR should exercise full jurisdiction, examine all questions of fact and law relevant to the dispute. For a judicial remedy to be effective, a DPA decision must be subject to full judicial review.
As the CJEU clarified, a compliant procedure under Article 77 GDPR is not similar to that of a petition but designed a mechanism capable of effectively safeguarding the rights and interests of data subjects. Hence, a DPA must deal with a complaint with all due diligence and is required to react appropriately in order to remedy GDPR violations.
The CJEU emphasized that the interpretation of the HBDI that a court could only assess a) whether the DPA has investigated a complaint to the extent appropriate and b) whether a complainant has been informed of outcome of the investigation would compromise the objectives of GDPR. The CJEU added that a DPA assessing a complaint has a margin of discretion as to the choice of appropriate and necessary means.
On questions 2 to 5, the CJEU first referred to its reasoning in Meta Platforms and Others (General terms of use of a social network), C‑252/21 on the concept of legitimate interest under Article 6(1)(f) GDPR, emphasizing that said provision lays down three cumulative conditions for the processing of personal data to be lawful (first, the pursuit of a legitimate interest by the data controller or by a third party; second, the need to process personal data for the purposes of the legitimate interests pursued; and third, that the interests or freedoms and fundamental rights of the person concerned by the data protection do not take precedence). The CJEU then held that it is for the referring VG Wiesbaden to ascertain whether the storage of the data at issue by SCHUFA in its own databases meets these requirements for the period during which the data are made available to the public.
Regarding the storing of decisions on debt discharges beyond their public availability, the CJEU held that this processing constitutes a serious interference with the fundamental rights of the data subject, enshrined in Articles 7 and 8 of the Charter. The longer the data are stored with the credit information agency, the greater the requirements relating to the lawfulness of the storage of that information. Article 79 Regulation(EU) 2015/848 on insolvency proceedings leaves it to the Member States to limit the public availability of data stored in insolvency registers, in accordance with the GDPR. German legislature provides that information on debt discharges is kept in the insolvency register for only six months.
The CJEU reasoned that the discharge from remaining debts in an insolvency proceeding is intended to allow the person who benefits from it to re-enter economic life. Hence, credit information agencies jeopardize this intention when they retain data on such debt discharges beyond their public availability and consider it a negative factor when assessing the persons creditworthiness. In those circumstances, the retention of decisions on debt discharges beyond their public availability cannot be based on Article 6(1)(f) GDPR.
The CJEU also held that that the conditions for the lawfulness of the processing of personal data laid down by a code of conduct under Article 40 GDPR cannot differ from the conditions laid down in Article 6(1) of the GDPR. Consequently, a code of conduct cannot be taken into account in the balance of interests under Article 6(1)(f) GDPR.
On the erasure obligations under Article 17 GDPR, the CJEU held that under Article 17(1)(d) GDPR SCHUFA will be under the obligation to erase data on decisions on debts discharges stored beyond the six-month period for which the data are kept in the public insolvency register, because the data would be unlawfully processed. Lastly, the CJEU held that under Article 17(1)(c) GDPR data subject enjoys a right to object to processing and a right to erasure, unless there are overriding legitimate grounds which take precedence over the interests and rights and freedoms of that person within the meaning of Article 21(1) GDPR, which it is for the controller to demonstrate and, in the current case, for the VG Wiesbaden to examine.
Comment
The decision will have effects far beyond the legal dispute that led to the request for the CJEU's preliminary ruling.
On a procedural level, many DPA will have to change their practice of treating complaints under Article 77 GDPR as some kind of petition that only leads to a procedure between the DPA and the controller, de facto excluding the data subject lodging the complaint. In order to enable full judicial review, as requested by the CJEU, DPAs will have to provide data subjects with the decision taken on a complaint rather than a mere "outcome letter" under Article 77(2) GDPR, as it is common (and now explicitly unlawful practice) among many DPAs.
Notably, even the Commission's proposal for a regulation laying down additional procedural rules relating to the enforcement of the GDPR appears to largely follow the idea of a data subject lodging a complaint with a DPA being a mere "petitioner" - an idea now struck down by the CJEU. It remains to be seen how the judgment will be reflected in the ongoing legislative process.
On a material law scope, credit information agencies such as SCHUFA will have to erase data no longer available in public insolvency registers and might even be disallowed from scraping data from such registers altogether or following a data subject's objection, depending on the circumstances of processing. In addition, and this might be the more dire consequence for the business models of SCHUFA and alike, the question on the lawful retention period for other "negative data" used for creditworthiness assessments is brought back into focus. Credit information agencies will have a hard time arguing, that data on e.g. an unpaid invoice of 100€ could be stored for years on end, where the CJEU set very strict boundaries for the retention of data relating to insolvency proceedings, which arguably represent the most serious case of credit unworthiness.
Further Resources
Share blogs or news articles here!