CJEU - Joined Cases C‑26/22 and C‑64/22 - SCHUFA

From GDPRhub
Revision as of 09:51, 12 December 2023 by MB (talk | contribs) (Created page with "{{CJEUdecisionBOX |Case_Number_Name=Joined Cases C‑26/22 and C‑64/22 SCHUFA |ECLI=ECLI:EU:C:2023:958 |Opinion_Link=https://curia.europa.eu/juris/document/document.jsf;jsessionid=713ED93629C16790E0BDF443F515831F?text=&docid=271345&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=824311 |Judgement_Link=https://curia.europa.eu/juris/document/document.jsf;jsessionid=713ED93629C16790E0BDF443F515831F?text=&docid=280428&pageIndex=0&doclang=EN&mode=lst&dir=&occ=fi...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CJEU - Joined Cases C‑26/22 and C‑64/22 SCHUFA
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 6(1) GDPR
Article 17(1)(d) GDPR
Article 40 GDPR
Article 77(1) GDPR
Article 78(1) GDPR
Article 7 Charter of Fundamental Rights of the European Union
Article 8 Charter of Fundamental Rights of the European Union
§ 3 Verordnung zu öffentlichen Bekanntmachungen in Insolvenzverfahren im Internet (InsBekV)
§ 9(1) Insolvenzordnung
Decided: 07.12.2023
Parties: UF (data subject and claimant before national court)
AB (data subject and claimant before national court)
Land Hessen (respondent before national court)
Case Number/Name: Joined Cases C‑26/22 and C‑64/22 SCHUFA
European Case Law Identifier: ECLI:EU:C:2023:958
Reference from: VG Wiesbaden
6 K 441/21.WI
Language: 24 EU Languages
Original Source: AG Opinion
Judgement
Initial Contributor: n/a

Lorem ipsum

English Summary

Facts

The data subjects UF and AB underwent insolvency proceeding in Germany and were granted an early discharge from remaining debts by court decisions of17 December 2020 and 23 March 2021 respectively. In accordance with § 9(1) Insolvenzordnung (Insolvency Code) and § 3(1)(2) InsBekV (Regulation on public notifications in insolvency proceedings on the internet), the official publication of these decisions on debt discharges was erased after 6 months.

SCHUFA Holding AG (SCHUFA), a German credit reference agency had recorded these decisions on debt discharges in their own data bases and intended to store it for three years after registration, in accordance with a code of conduct under Article 40 GDPR approved by the competent DPA.

UF and AB requested SCHUFA to erase the (no lomger public) decisions on the debt discharges. SCHUFA refused, UF and AB lodged complaints with the Hessian DPA (HBDI). The HBDI dismissed the complaints, finding SCHUFA's processing lawful.

UF and AB each brought an action under Article 78 GDPR against the HBDI's decisions before the Verwaltungsgericht Wiesbaden (VG Wiesbaden), arguing that the HBDI was obliged to take measures in respect of SCHUFA to enforce deletion of the entries concerning them.

The HBDI requested the dismissal of the actions, arguing that Article 77(1) GDPR constitutes a mere "right of petition". Hence the VG Wiesbaden could only review whether the HBDI handled the complaints and informed the complainants of their progress and outcome but not review the substantive correctness of the decisions. On UF's and AB's requests for erasure, the HBDI argued that SCHUFA could store the decisions on debt discharges for as long as is necessary for the purpose of processing (i.e. assessing the creditworthiness of UF and AB) and that the storage period of three years after entry in the file according to the codes of conduct should apply.

The VG Wiesbaden doubted the HBDI’s line of argument and referred the following questions to the CJEU under Article 267 TFEU:

(1) Is Article 77(1) of [the GDPR], read in conjunction with Article 78(1) thereof, to be understood as meaning that the outcome that the supervisory authority reaches and notifies to the data subject:

– has the character of a decision on a petition? This would mean that judicial review of a decision on a complaint taken by a supervisory authority in accordance with Article 78(1) of that regulation is, in principle, limited to the question of whether the authority has handled the complaint, investigated the subject matter of the complaint to the extent appropriate and informed the complainant of the outcome of the investigation,

or

– is to be understood as a decision on the merits taken by a public authority? This would mean that a decision on a complaint taken by a supervisory authority would be subject to a full substantive review by the court in accordance with Article 78(1) of that regulation, whereby, in individual cases – for example where discretion is reduced to zero – the supervisory authority may also be obliged by the court to take a specific measure within the meaning of Article 58 of that same regulation?

(2) Is the storage of data at a private credit information agency, where personal data from a public register, such as the “national databases” within the meaning of Article 79(4) and (5) of Regulation [2015/848] are stored without a specific reason in order to be able to provide information in the event of a request, compatible with Articles 7 and 8 of the [Charter]?

(3) (a) Are private databases (in particular databases of a credit information agency) which exist in parallel with, and are set up in addition to, the State databases and in which the data from the latter (in casu, insolvency announcements) are stored for longer than the period provided for within the narrow framework of Regulation 2015/848, read in conjunction with the national law, permissible in principle? (b) If Question 3a is answered in the affirmative, does it follow from the “right to be forgotten” under Article 17(1)(d) of [the GDPR] that such data must be deleted where the processing period provided for in respect of the public register has expired?

(4) In so far as point (f) of [the first subparagraph of] Article 6(1) of [the GDPR] enters into consideration as the sole legal basis for the storage of data at private credit information agencies with regard to data also stored in public registers, is a credit information agency already to be regarded as pursuing a legitimate interest in the case where it imports data from the public register without a specific reason so that those data are then available in the event of a request?

(5) Is it permissible for codes of conduct which have been approved by the supervisory authorities in accordance with Article 40 of [the GDPR], and which provide for time limits for review and erasure that exceed the retention periods for public registers, to suspend the balancing of interests prescribed under point (f) of [the first subparagraph of] Article 6(1) of that regulation?

Advocate General Opinion

Lorem ipsum

Holding

Lorem ipsum

Comment

Lorem ipsum

Further Resources

Share blogs or news articles here!

Retrieved from "https://gdprhub.eu/index.php?title=CJEU_-_Joined_Cases_C‑26/22_and_C‑64/22_-_SCHUFA&oldid=37446"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki