Everyone knows that when you open a website, a request for consent to process personal data is immediately made. They are also referred to as “cookies” and are a common way of obtaining personal information. This consent can usually be refused with a simple click. Nevertheless, there is the possibility to object to legal data processing. This page is specifically about the collection of data at Schufa.
Basic information about the processing of personal data
The processing of personal data can theoretically be refused. This means that it is not possible to obtain personal data from the data subjects without a special interest. However, according to Art. 6 I GDPR, the processing is still permissible in addition to the consent of the data subject if, for example, the processing
- is necessary for the performance of a contract that the data subjects have concluded with each other.
- serves to fulfill a legal requirement. is necessary to fulfill a task that is in the public interest.
- is necessary to safeguard the legitimate interests of the controller or a third party.
Upon request, data that has already been collected can also be removed. The “right to be forgotten” is enshrined in Article 17 of the General Data Protection Regulation. The same requirements apply here.
Personal data can be removed, for example, if:
- The purpose for which the data was collected has been achieved.
- Since there is no other valid legal reason, consent has been withdrawn.
- The data has been processed unlawfully.
- The data must be deleted due to another law.
- The data was collected in relation to the services offered by the information society.
Option to object to permissible data processing
Despite legitimate processing of personal data, you can object. According to Article 21 of the GDPR, a “unique situation” may, under certain circumstances, justify a right to object. This means nothing other than the requirement that the objection must, in theory, be legitimate. The person must provide the justification, not the processing environment. The next step is a weighing of the interests of all parties, in which the data controller must provide a convincing justification for the further processing of the data. The controller may no longer continue the data collection if these factors do not outweigh the personal interest of the data subject.
In general, the legislator does not provide a detailed list of requirements for “exceptional cases”. Therefore, the decisions are made on a case-by-case basis. For example, Schufa is of the opinion that credit inquiries do not justify a request for deletion. The restrictions must be observed because they are in the interest of the economy as a whole. A special circumstance could arise, for example, if the processing of address data of a political activist poses a personal risk because the target has already been threatened with death due to his or her political activities. A right to object may also arise from a contractual confidentiality agreement.
In addition, and this list is not exhaustive, a “unique condition” is assumed in the following situations:
- A well-known person is concerned that medical diagnoses or hospitalizations may be made public.
- When a patient learns that a relative will be working in the management of the same hospital, he is opposed to his medical records being kept there.
- A diplomat from a country with an increased risk of terrorism does not want his data to be stored by a credit reporting agency because he is concerned about his safety if it becomes public.
As you can see, the standard for a “unique situation” is set very high in the previous case law.
It is not even necessary to provide a reason if you object to the use of your data for direct marketing. Therefore, in the case of direct marketing, there is an unrestricted right to object. Unaddressed advertising mail (LG Frankfurt am Main, 28.02.2019, Az. 2-03 O 337/18) and partially addressed advertising mail (OLG Munich, 05.12.2013, Az. 29 U 2881/13) are two examples of direct marketing.
At least at the time of the first communication, the data controllers must explicitly inform the data subjects of their right to object under Article 21 (4) of the GDPR. The data processing would then be considered unlawful.
If an effective objection is raised, there are legal consequences.
Any further data collection is unlawful if an effective objection has been lodged and the processing of personal data continues nevertheless. It is possible to protect yourself against this. For example, temporary injunctions can be applied for to stop unlawful data collection. Illegally collected data can be removed upon request without much difficulty. You contact the responsible data protection supervisory authority with your inquiries.
There are two exceptions to this. According to Article 21 of the GDPR, data processing is permissible if either the controller can demonstrate compelling legitimate grounds for the processing of the personal data or the processing is necessary for the establishment, exercise or defense of legal claims.
In the literature, however, there is agreement in this situation that in case of doubt it is to be assumed that the interests of the data subject outweigh those of the controller. The processing company (in this case, Schufa) is obliged to respond to the objection of the data subject in some way.
Malteserstrasse 170, 12277 Berlin
dr.schulte@dr-schulte.de
📞 030 – 22 19 220 20
📠 030 – 22 19 220 21