Schufa If a bank passes on information about a customer’s financial situation to third parties and breaches its duty of confidentiality, the customer can claim damages.
In an interview in February 2002, Rolf Breuer, President of the Association of German Banks and Chairman of the Supervisory Board of Deutsche Bank, casually questioned the creditworthiness of the Kirch Group. His statement triggered the biggest corporate bankruptcy after the Second World War: two months after the interview on Bloomberg TV, KirchMedia, the most important company in the Kirch Group, filed for insolvency because old loans had not been extended. 5,000 of the Kirch Group’s 11,000 employees were laid off, and entrepreneur Leo Kirch was left with a tarnished reputation.
Kirch was convinced that Breuer’s careless remark had contributed to the collapse of the media group. Yes, it was even said to have been a targeted smashing of his group. Kirch sued Breuer and Deutsche Bank in May 2002 for violating banking secrecy.
In February 2003, the Munich District Court ordered Breuer to pay damages. He appealed, but the judgment of the Munich Higher Regional Court of December 2003 (Case No. 21 U 2392/03) was upheld in January 2006 by the Federal Court of Justice (BGH) in the so-called ‘Kirch (Case No. XI ZR 384/03): Deutsche Bank and Breuer were fundamentally liable for damages incurred by the Kirch subsidiary Print Beteiligungs GmbH, a customer of Deutsche Bank, as a result of Breuer’s interview.
This is just one case, albeit certainly the most famous, in which a customer was able to claim damages due to the disclosure of information by the bank. Overall, there are three main groups of cases involving unlawful disclosure of data by banks.
Update 2024 – Schufa and banking secrecy
The Kirch case against Deutsche Bank and Rolf Breuer had far-reaching consequences:
1. court decisions:
- In February 2003, the Munich District Court ordered Breuer to pay damages.
- The Munich Higher Regional Court upheld the ruling in December 2003.
- In January 2006, the Federal Court of Justice (BGH) confirmed in the ‘Kirch decision’ that Deutsche Bank and Breuer were generally liable for damages incurred by the Kirch subsidiary Print Beteiligungs GmbH.
2. Impact on the Kirch Group:
- On 8 April 2002, the Kirch Group filed for insolvency at the Munich District Court for KirchMedia GmbH & Co KGaA.
- At that time, KirchMedia had 1.4 billion euros in debt and 500 million euros in obligations to American film and media conglomerates.
- A total of 5,000 of the Kirch Group’s 11,000 employees were laid off.
- On 12 June 2002, the last pillars of the group, Taurus Holding and KirchBeteiligung, also filed for bankruptcy.
3. Legal implications:
- The case set a precedent for the liability of banks for violating banking secrecy.
- It clarified the importance of banks‘ duty of confidentiality towards their customers.
4. Long-term impact:
- The case led to increased sensitivity in the handling of customer information in the banking sector.
- It underscored the potential legal and financial consequences for banks of violating their duty of confidentiality.
The case of Kirch v. Deutsche Bank and Rolf Breuer remains an important example of how the disclosure of customer information by banks can lead to substantial claims for damages.
First case: public statements about the creditworthiness of the customer
The contract that you enter into when you take out a loan obliges the bank to maintain confidentiality. The bank is not allowed to make any public statements about the creditworthiness of the customer if it has obtained this information in the course of its banking activities. Neither the customer’s bankruptcy nor their lottery win may be reported to third parties without the customer’s knowledge and consent.
According to the Federal Court of Justice’s (BGH) supreme court ruling in the Kirch case, ‘The lending bank has a secondary obligation under the loan agreement not to jeopardise the borrower’s creditworthiness, either through factual claims, even if they are true, or through value judgements or expressions of opinion.’
It is not only possible for economic giants like Leo Kirch to take legal action against a bank. Private customers are also protected: if a bank passes on information about a customer’s solvency without justification, this can damage the customer’s reputation. The next time they want to buy a car, the person concerned may not be granted credit because the car dealership’s bank considers the customer to be insolvent.
The bank customer suffers actionable damage because other banks or business partners believe the information about his insolvency and no longer grant him credit. In principle, there is a claim for damages here, because ultimately, a loss of creditworthiness can throw an entire life into disarray. In the worst case, a private household may also have to file for bankruptcy, as Leo Kirch did.
Second case: Loss of job due to a wanted ad
Arne W., a doctor, was on the verge of being appointed head physician at a clinic in Bielefeld. At that point, his bank placed a wanted ad in the local newspaper because it wanted to assert claims against him. His career dream was shattered: the clinic’s management deemed him unsuitable for the position of head physician, which involves a high level of trust.
Applying for jobs at other hospitals was also difficult. Arne W. now had a reputation as an unreliable person because of his debts. His professional career came to an abrupt end – and yet the bank had the doctor’s correct personal data and could have contacted him directly with their claim!
Nevertheless, caution is advised when filing a claim for damages in such a context. Unlike the Kirch case, for example, in which the Breuer interview was broadcast on television, the bank had only placed an ad for Arne W. in a newspaper with a small circulation. The doctor’s debts were not known to ‘the whole world’.
Arne W. therefore had a duty to minimise his losses: he himself had to keep the damage to a reasonable minimum and try to find another position as a senior consultant and avoid a loss of earnings. It was only when he was able to prove that he had not found a comparable position despite making certain efforts that he was able to sue for the financial losses incurred.
In his case, the financial community had also gained extensive knowledge about his financial situation through the ‘small newspaper’ and it was very difficult for Arne W. to find a new job, let alone a comparable one.
A similar incident is conceivable in practically every professional group. A security company could dismiss a cash-in-transit driver because the bank has informed it of the driver’s enormous debts and the company now fears that the driver might steal some of the money entrusted to him. If the former cash-in-transit driver does not find new employment, a claim for damages against the bank is also conceivable here.
However, there are also cases in which the bank is allowed to go public and disclose the customer’s financial situation. For example, if a customer gives a false address in order to avoid having to repay an outstanding loan and the bank can no longer reach him, the bank can also go to the customer with the help of the public and place an advertisement, for example. In Arne W.’s case, this did not apply – he was entitled to compensation.
Third case: Incorrect transmission of data to Schufa – bank’s intention to cause damage
In another case, the bank providing the loan had transmitted incorrect data to Schufa (OLG Frankfurt 17 U 35/87, 17 U 203/87). The customer had taken out a loan and assigned his future salary claims as security. When around €7,000 of the repayment was still outstanding, he was no longer able to meet the demands. The bank then cancelled the loan and called it due. It then informed Schufa that it had applied for a default summons against the customer. An enforcement order and a court-ordered attachment and transfer order were already in place. In fact, however, the bank had applied for the order for payment later than stated and – crucially – the customer had objected to it within the time limit. Neither a writ of execution nor the enforcement could be issued in this way.
In such a case, the customer is generally entitled to compensation. On the one hand, he can demand back the costs incurred in engaging a lawyer to protect his rights. On the other hand, the customer can generally demand compensation for the damages incurred as a result of the credit risk in accordance with § 824 BGB: Due to the Schufa entry, it could, for example, happen that other banks no longer grant the customer credit or that a mobile phone provider refuses a contract. The bank can also be held liable for these damages.
The Frankfurt judges also saw it that way. In the grounds for the judgment, it states: ‘If a credit institution intentionally provides the Schutzgemeinschaft für allgemeine Kreditsicherung (Schufa) with incorrect negative information about a credit relationship, the borrower is entitled to have the incorrect data stored at Schufa deleted and to claim compensation for the material damage in accordance with § 824 BGB. However, the borrower cannot claim compensation for pain and suffering due to defamation or violation of his general right of privacy.“
The court considered the bank’s actions to be intentional. The data transmitted to Schufa was objectively false: there was no attachment or transfer order against the customer, so his financial situation was better than claimed. However, due to the incorrect Schufa entry, a second credit institution refused the customer a loan. The court ruled that the bank that had transmitted the false data to Schufa must therefore work with Schufa to correct the information.
However, the court denied a claim for damages in this case. The customer’s reputation was not sufficiently damaged, since he was ‘only’ said to owe 7,000 euros. The case may be different if the bank wrongly accuses a customer of immoral bill-dodging. In such circumstances, damages may also be an option.
Fourth case: thoughtless reporting of a customer to the credit reference agency
Further rulings help victims of Schufa reports. The Higher Regional Court of Düsseldorf, for example, ruled in its judgment of 14 December 2006 – I-10 U 69/06 under the Federal Data Protection Act.
The judgment of the Düsseldorf Higher Regional Court of 14 December 2006 (Ref. I-10 U 69/06) deals with the question of the inadmissible transmission of data to Schufa and in doing so strengthens the protection of personal data in commercial transactions. The plaintiff had taken legal action against the disclosure of his data to Schufa and was successful on appeal. The court ordered the defendant to revoke the transferred data and additionally awarded the plaintiff a sum of €68.61. Furthermore, the defendant was ordered to bear the costs of the legal dispute.
In essence, the court found that the defendant was not authorised to transfer the data because the necessary balancing of interests had not been carried out. In this regard, the plaintiff’s legitimate interests clearly outweighed those of the defendant and Schufa. The decisive reasons for this were that the plaintiff had not raised any obviously unfounded objections to the claim, that the parties had previously maintained a long-standing conflict-free business relationship and that the amount of the disputed claim was disproportionate to the possible economic disadvantages for the plaintiff.
The court based the claim for revocation on Section 35 (2) sentence 2 no. 1 of the Federal Data Protection Act (BDSG) and, alternatively, on general civil law provisions such as Sections 12, 823 (1) and 1004 (1) of the German Civil Code (BGB). The claim for damages for the losses incurred by the legal fees was also based on civil law principles such as §§ 280 (1) and 241 (2) BGB and § 823 (1) BGB.
The judgment emphasises the importance of a careful and individual consideration of interests before personal data is transmitted to credit reference agencies such as Schufa. It thus sends a clear signal for data protection and the protection of consumers‘ economic integrity. The Higher Regional Court of Frankfurt am Main has also ruled similarly, judgment of 18 June 2008 – 23 U 221/07.
General Data Protection Regulation since 2018 – significant expansion of the rights of data subjects
Since the introduction of the General Data Protection Regulation (GDPR) in 2018, the requirements for banks and financial institutions when handling personal data have become significantly more stringent. The GDPR sets out clear rules for both the lawful processing and protection of this data. Banks are faced with the challenge of complying with the extensive regulations while at the same time ensuring the trust of their customers.
A central element of the GDPR is the lawfulness of data processing, which may only take place under certain conditions. In this context, the banking sector often refers to the fulfilment of contracts or legal obligations in accordance with Art. 6 (1) points b and c GDPR. Seamless accountability also requires the careful documentation of all data processing. This not only serves internal control, but also as proof for supervisory authorities.
The GDPR has established new standards with the principle of data protection by design and by default. Banks must take data protection measures into account as early as the planning phase of technical systems and ensure that only the data necessary for the respective purpose is processed. Another core element is the deletion concept, which regulates the timely and proper deletion of personal data once statutory retention periods have expired.
Current developments illustrate the increasing importance of data protection. Increased audits by data protection supervisory authorities and high fines for violations show that the GDPR does not just exist on paper. In addition, important court rulings, such as the judgment of the Higher Regional Court of Düsseldorf (Az. I-10 U 69/06), have underscored the requirements for carefully weighing interests when passing on data, for example to Schufa, the German credit reference agency. In the event of unauthorised data transfer, data subjects can not only demand revocation, but also claim damages.
The tightened requirements have far-reaching consequences for banks. They not only have to take technical and organisational measures to protect personal data, but also regularly review their processes and systems. Transparency plays a crucial role here: customers must be informed in a comprehensible and comprehensive manner about how their data is processed. In addition, regular employee training is required to ensure that data protection measures are consistently implemented in day-to-day work. In addition, data protection impact assessments must be carried out for risky data processing in order to identify and minimise possible risks at an early stage.
Overall, the GDPR has raised data protection in the banking sector to a new level. For financial institutions, this not only means increased requirements, but also the opportunity to strengthen the trust of their customers and minimise legal risks by implementing transparent and data protection-compliant processes. Ongoing dialogue between banks, supervisory authorities and customers will continue to be crucial in the future to further develop data protection and adapt it to new challenges.
Fifthly, judgments for damages under the General Data Protection Regulation
Today, it is no longer a matter of intent or negligence in the event of incorrect data transmission, but rather Art. 82 of the General Data Protection Regulation, which in principle awards damages.
Since the General Data Protection Regulation (GDPR) came into force in 2018, case law on claims for damages in the event of data protection violations has developed considerably. A central element here is Article 82 of the GDPR, which grants data subjects the right to claim compensation for material and non-material damages in the event of violations of the regulation.
Development of case law:
In recent years, various courts, including the European Court of Justice (ECJ), have made important decisions on the interpretation of Article 82 GDPR:
•ECJ ruling of 4 May 2023 (Case C-300/21): The ECJ clarified that not every violation of the GDPR automatically establishes a claim for damages. Rather, specific material or immaterial damage must be proven that can be causally attributed to the infringement. In addition, the ECJ rejected the introduction of a materiality threshold, meaning that even minor impairments may be eligible for compensation.
ECJ judgment of 11 April 2024 (Case C-741/21): In this decision, the ECJ emphasised that a breach of the GDPR alone is not sufficient to establish a claim for non-pecuniary damages. Actual harm must be demonstrated, whereby feelings such as annoyance or frustration can already be recognised as non-pecuniary harm.
ECJ judgment of 20 June 2024 (Cases C-182/22 and C-189/22): The Court ruled that the mere fear of possible misuse of personal data may constitute non-material damage that can be compensated, provided that that fear can be regarded as well-founded in the circumstances.
National case law:
National courts have also dealt with claims for damages under Article 82 GDPR:
• Higher Regional Court of Dresden, decision of 29 August 2023 (case no. 4 U 1078/23): The court awarded a plaintiff 1,500 euros in damages for pain and suffering because his personal data had been unlawfully processed.
Federal Court of Justice (BGH), judgment of 18 November 2024 (Az. VI ZR 10/24): The BGH ruled that Facebook users whose data was illegally tapped and distributed on the internet are generally entitled to compensation. In this context, it is sufficient that control over one’s own data has been lost, without the need to prove specific economic damage.
Conclusion
If a bank passes on customer data to third parties without authorisation, it is usually worth the affected party’s while to file a claim for damages. The aggrieved party can claim back legal fees and sue for damages incurred if, for example, third parties no longer grant credit to the customer due to the customer’s alleged solvency problems or refuse to enter into a contract with the customer. In the case of defamation, claims for damages are even conceivable. This legal situation has improved considerably in favour of bank customers. While originally only intentional acts (kicking against the knee) were discussed in court, today data leaks already lead to claims for damages.
Dr Thomas Schulte, a lawyer in Berlin (Malteserstraße 170, 12277 Berlin, telephone: 030 – 22 19 220 20, email: dr.schulte@dr-schulte.de)
More information can be found on the official website of Dr Schulte and in his article on the jurisdiction of Schufa entries. Current developments regarding Schufa and data protection can also be found on the GDPR portal and the federal data protection page.