• +49 (0) 30 22 19 220 20
  • dr.schulte@dr-schulte.de

Schufa – What is credit history in Germany?

  • Dr Schulte dociera do sedna doradztwa strategicznego i prawnego
  • Wydajne i cyfrowe przetwarzanie przez nasz zespół - online i offline
  • Uczciwe doradztwo i rozwiązywanie problemów z jasno określonymi kosztami i perspektywami sukcesu
  • Jeden kontakt do wszystkiego! Zajmujemy się komunikacją i planowaniem z sądami, urzędami, firmami ubezpieczeniowymi, notariuszami itp.

Schufa – What is credit history in Germany?, Dr. Thomas Schulte, Lawyer in Berlin/Germany

When it comes to protecting credit history, courts are often hesitant. However, some decisions give cause for hope.

An unauthorized entry in the Schufa credit agency database constitutes a violation of the General Data Protection Regulation (GDPR) and can have serious consequences for the person concerned. The GDPR protects personal data and provides for a right to compensation for data subjects if damage is caused by the unlawful processing of this data. Article 82 GDPR grants data subjects a right to compensation for both material and non-material damage. This article is often invoked in cases of unauthorized entries at credit agencies such as Schufa, as such entries can deeply affect the private life and financial integrity of the data subjects.

Example of an unauthorized SCHUFA entry

Mr. Holger Müller, an entrepreneur from Nuremberg, learns that his application for a construction loan has been rejected because he allegedly has a negative credit rating with SCHUFA. He requests a self-disclosure from SCHUFA and discovers that there is a claim from a debt collection agency that he settled several months ago and whose entry was, incidentally, unlawful. Despite several requests to SCHUFA and the debt collection agency, the entry was not deleted. As the negative entry significantly impairs Mr. Müller’s creditworthiness and he is now having difficulty meeting his financial obligations, he has engaged a lawyer to have the entry deleted and to assert claims for damages under the GDPR.

Legal basis under the GDPR

Article 82(1) GDPR provides that any person who has suffered material or non-material damage as a result of a breach of the GDPR is entitled to compensation. In Mr. Müller’s case, such a breach lies in the fact that SCHUFA unlawfully stored and processed personal data even though the basis for the processing – in this case the alleged claim – no longer existed. The failure to delete the entry after a request to do so also violates the GDPR, as this constitutes an infringement of the right to erasure (“right to be forgotten,” Art. 17 GDPR).

Material damages

Material damages can be far-reaching in the case of unlawful SCHUFA entries. These arise, for example, when data subjects are unable to obtain loans or conclude contracts because their creditworthiness is negatively assessed on the basis of the entry. In Mr. Müller’s case, the unauthorized entry would have prevented him from obtaining a mortgage, which would have had significant financial consequences.

In such cases, the material damage can be quantified relatively precisely: for example, through lost business opportunities, higher interest payments on alternative loans, or additional costs incurred by hiring a lawyer.

In the present case, Mr. Müller’s lawyer claimed out-of-court legal fees of €1,134.55 in accordance with the German Lawyers‘ Fees Act (RVG). These costs are part of the material damage, as they were directly caused by SCHUFA’s unauthorized data processing.

Non-material damages

A particularly important aspect of the GDPR is compensation for non-material damages. Article 82 GDPR expressly provides that non-material damages are also eligible for compensation. The ECJ has interpreted the term “non-material damages” broadly. In addition to psychological distress and emotional stress, non-material damages also include the loss of control over one’s own data.

In Mr. Müller’s case, the non-material damage could consist, for example, in the fact that the unauthorized SCHUFA entry damaged his reputation because it was disclosed to third parties, such as banks. Such an infringement of personal rights caused by the unlawful processing of data can cause considerable psychological pressure. This is particularly evident when the entry threatens the financial existence of the person concerned. Especially in today’s society, where credit ratings play a key role in many economic areas, such exposure is a profound interference with personal rights.

However, the amount of non-pecuniary damages is assessed very differently in case law. Some courts do not see any entitlement to compensation for pain and suffering in mere “trivial cases.” For example, the Munich Higher Regional Court ruled that blocking a Facebook profile does not constitute non-material damage within the meaning of Art. 82 GDPR. On the other hand, other courts, such as the Stuttgart Higher Regional Court, have already awarded non-material damages in cases of delayed provision of information under the GDPR.

In the case of an unauthorized SCHUFA entry, the non-material damage lies not only in the immediate psychological stress, but also in the loss of control over one’s own data. The GDPR stipulates that data subjects must be informed about the use of their personal data at all times and must be able to control it. An unauthorized entry at a credit agency such as SCHUFA deprives the data subject of this control. This loss of data control, which is recognized as a ground for damages under Recital 75 of the GDPR, may also give rise to non-pecuniary damages.

https://www.drthomasschulte.de/ and https://www.dr-schulte.de/

Although the GDPR expressly covers non-pecuniary damages, the assessment of damages often remains unclear in practice. This is particularly due to the fact that non-material damage has traditionally been treated restrictively in the German legal system. According to the established case law of the Federal Court of Justice (BGH), monetary compensation for the violation of personal rights is only justified if the impairment is particularly serious and cannot be satisfactorily compensated in any other way.

The courts assess the severity of a violation of personality rights according to objective criteria, such as the significance and scope of the infringement and the degree of fault. For minor infringements, i.e., minor infringements without serious consequences, no damages are usually awarded. However, there are increasingly voices in legal literature and case law calling for greater consideration to be given to non-material damage as a deterrent to data protection violations. In this sense, it has already been recognized that the mere loss of control over personal data can constitute compensable damage.

The assertion of claims for damages under the GDPR in the case of unauthorized SCHUFA entries is therefore a complex issue that can encompass both material and immaterial damages. While material damages can often be clearly quantified, the assessment of immaterial damages remains a challenge. Case law in Germany is continuing to develop in this regard, and it remains to be seen how the ECJ will further clarify the concept of immaterial damage in the future.

In any case, data subjects who suffer from an unauthorized SCHUFA entry should assert their rights under the GDPR, as they may be significantly affected both financially and emotionally.

Test

The ruling of the Higher Regional Court (OLG) of Koblenz of May 18, 2022 (Ref. 5 U 2141/21) provides important clarifications in this context regarding claims for damages under Article 82 of the General Data Protection Regulation (GDPR).

The case and the ruling of the OLG Koblenz

In the case decided by the Higher Regional Court of Koblenz, the parties were in dispute over payment claims arising from a mobile phone contract and, in a counterclaim, over damages due to an unauthorized SCHUFA entry. The defendant had concluded a mobile phone contract with the plaintiff and later revoked it. Although the plaintiff’s claim was disputed and not enforceable, it reported the defendant to SCHUFA due to unpaid bills. Although the SCHUFA entry was deleted shortly thereafter, it had already had a negative impact on the defendant’s creditworthiness. Her house bank discontinued the credit negotiations due to the negative entry.

In its ruling, the Higher Regional Court of Koblenz confirmed the defendant’s claim for damages under Art. 82 GDPR. The court found that the mere “unpleasant feeling of uncertainty” as to whether personal data had become known to unauthorized persons constituted non-material damage. The judges emphasized the broad interpretation of the concept of damage in Art. 82 GDPR and clarified that there is no de minimis limit.

Significance for practice

The ruling of the Higher Regional Court of Koblenz is of great significance for practice. It strengthens the position of consumers who are affected by unauthorized SCHUFA entries. The ruling makes it clear that even minor impairments caused by an unauthorized SCHUFA entry can justify a claim for damages.

Important points from the ruling:

The term “damage” in Art. 82 GDPR must be interpreted broadly and also includes “fear of uncertainty.”

There is no de minimis limit for asserting claims for damages under Art. 82 GDPR.

When assessing damages, the compensatory, punitive, and preventive functions must be taken into account.

The amount of damages must be proportionate to the severity of the violation.