When the sacred Schufa judges people – badly

When the sacred Schufa judges people – badly

In Germany, SCHUFA enjoys an almost sacrosanct status (the sacred Schufa) when it comes to people’s creditworthiness. But what happens when this authority acts like an all-knowing mother-in-law – quick to judge, opinionated, but lacking complete insight? Anyone who deliberately does not pay their GEZ fees or argues with debt collection agencies can be classified as ‘not very creditworthy’ despite having significant assets – because the system behind SCHUFA does not provide for such distinctions. This raises legal and social questions. This article looks at how SCHUFA is classified legally, what limits are set on it and how those affected can actively exercise their rights. By Dr Thomas Schulte, lawyer

SCHUFA as a private credit agency: legal basis for data processing

SCHUFA is a private credit agency that collects and processes financial data on consumers. The legal basis for this is primarily Art. 6 GDPR (lawfulness) – in particular lit. f (legitimate interest of the credit provider) – and, in addition, the BDSG. According to information from the Hessian Data Protection Commissioner, data processing by credit agencies is carried out ‘on the basis of Art. 6 (1) lit. b) and lit. f) GDPR and § 31 BDSG (old version)’ (The Hessian Data Protection Commissioner). This means that banks and retailers access SCHUFA data as authorised third parties and invoke their legitimate interest in risk prevention. Banks themselves also often act in accordance with contract fulfilment (Art. 6(1)(b) GDPR). The authority of contractual consent is lower under the GDPR (explicit ‘SCHUFA clauses’ are dispensable). According to data protection experts, Art. 6(1)(f) GDPR remains decisive, as other legal bases are difficult to apply.

Under German law, there used to be a special provision (Section 28a BDSG, old version) for credit agencies in the BDSG (old version). This imposes strict conditions under which debt data may be transferred: for example, transfer is only permitted if the claim remains undisputed despite being due and has either been established by a court or is still outstanding after at least two reminders (at four-week intervals). The current version (Sections 28a et seq. BDSG, as amended) contains similar rules. According to these rules, negative payment behaviour data may only be reported to SCHUFA under certain conditions (legally established claim, acknowledgement or properly issued reminders) (Federal Data Protection Act [until 25 May 2018] / Section 28a Data transfer to credit agencies). These provisions limit the scope of data included in the scoring and are a prerequisite for justifying the processing. In addition, the general GDPR principles (Section 5 GDPR: purpose limitation, data minimisation, storage limitation) and the information obligations of the controller (Article 12 et seq. GDPR) apply.

Criticism of credit scores based on incomplete data

Critics complain that SCHUFA’s credit scoring only reflects certain negative characteristics (‘hard’ payment behaviour) and disregards a lot of relevant information. For example, only claims that meet the legal reporting requirements (uncontested, due debts after a reminder) are included. The person’s income or financial circumstances, on the other hand, do not play a role in the score. Wealthy individuals with no official debt collection records therefore often receive a high score, while relatively minor claims (e.g. unpaid fees) can significantly lower the credit rating of low earners. The procedure is considered a ‘prognostic forecast’: the score is a statistical prediction of the probability ‘with which someone will meet their payment obligations’. However, this prediction is based solely on the data known to SCHUFA. Critics see this as a risk of distorted results because unreported debts (e.g. private direct debit claims, radio licence fees without enforcement) are not taken into account. The transparency of this procedure is also limited: according to previous case law, SCHUFA was only required to disclose the types of data used and the final score, but not the exact calculation logic. Those affected therefore often receive only a rough explanation of the ‘score principles’ but no detailed insight into the assessment logic.

Admissibility of credit scoring by private companies

Automated credit scoring falls within the scope of Art. 22 GDPR (‘automated individual decision-making’). According to Art. 22(1) GDPR, a person may not be subject to a decision based solely on automated processing with legal effects, such as an ‘automatic rejection of an online credit application’ (Art. 22 GDPR – Automated individual decision-making, including profiling) (Recital 71 GDPR – Profiling). Exceptions are narrow: Art. 22(2) GDPR allows exceptions only if a) the decision is necessary for the conclusion or performance of a contract, b) explicit consent has been given, or c) this is expressly permitted by Union or national law. According to Recital 71 GDPR, appropriate safeguards must be taken in any case.

Specifically, the ECJ ruled in the Schufa case (C-634/21) that the SCHUFA score calculation constitutes an ‘automated decision in individual cases’ (Art. 22 GDPR) if the score values transmitted to it are used by a bank or another contractual partner as a decisive basis for the credit decision. In this situation, the prohibition in Art. 22 GDPR would apply unless an exception applies. German law (Section 31 BDSG, old version) previously attempted to create a justification for credit scoring in German law. However, the ECJ and the Advocate General expressed ‘serious doubts’ as to the compatibility of this national provision with the GDPR. It is now up to the German court to examine whether Section 31 BDSG (or the successor provisions) contains a valid exception. Irrespective of this, Article 6(1)(f) (legitimate interest of banks or credit agencies) remains the relevant legal basis for scoring in practice.

In summary: Credit scoring by private companies is only permissible under the GDPR if one of the exceptions applies (such as contractual necessity or legal authorisation) and strict conditions are met. Currently, the transparency and objection rights of the data subject apply, as standardised in Section 28a et seq. BDSG and Article 22 et seq. GDPR. According to the ECJ, a purely automated decision-making process may only take place under strict conditions permitted by EU law. In addition, data protection law requires clear information about the criteria and functioning of the scoring system.

Data protection obligations: information, transparency and erasure

Data subjects have comprehensive rights to information under Art. 15 GDPR. This requires, among other things, information on the purposes of the processing, the categories of data and recipients, and the storage period. Art. 15(1)(h) GDPR is particularly relevant: It includes disclosure of the existence of automated decision-making and profiling and requires ‘meaningful information about the logic involved’ as well as the scope and impact of this processing. The Federal Court of Justice (BGH) recently interpreted the right to information very broadly: even internal notes or email correspondence relating to the case must be disclosed.

The ECJ ruling (C-203/22) has further clarified what is meant by ‘logic of the processing’: According to this, the procedure must be explained in such a way that the data subject can understand which of their data were taken into account in the scoring decision and in what way. It may be sufficient to show, by way of example, how different input data would have changed the result. A mere description of the algorithm used or only a general formula is not sufficient. It is also important to note that if the company claims that details contain trade secrets, it must submit this information to the supervisory authority or the court. The authority will then weigh up the extent to which the data subject may receive this information. A purely national rule that generally excludes information on the grounds of trade secrets would contradict the GDPR.

Right to erasure (Art. 17 GDPR): The data subject may request immediate erasure if the data is no longer necessary or has been processed unlawfully. For example, according to the ECJ, SCHUFA may no longer store residual debt discharge information for longer than is permitted in the public insolvency register (usually six months). Under EU law and Section 17 GDPR, inadmissible old entries must be removed.

In Germany, Sections 34–36 BDSG supplement the rights of data subjects. Section 34 BDSG (as amended) grants the right to confirmation and information, similar to Article 15 GDPR. Section 35 BDSG regulates the deletion obligations of credit agencies in the context of consumer credit. Overall, data protection law requires SCHUFA to create transparency: data subjects must be informed about scoring procedures in an understandable manner and have the right to have incorrect entries deleted.

Current case law (ECJ, BGH, BVerfG)

ECJ (C-634/21, judgment of 7 December 2023): The European Court of Justice clarified that automated SCHUFA scoring constitutes an ‘automated individual decision’ within the meaning of Art. 22 GDPR as soon as third parties (e.g. banks) attach ‘significant’ importance to this score for their credit decisions. It ordered that it be examined whether the German exemption provision (Section 31 BDSG, old version) is compatible with the GDPR. In addition, the ECJ ruled that private credit agencies may not store information about residual debt discharge for longer than the public insolvency register (six months).

ECJ (C-203/22, judgment of 27 February 2025): In the Dun & Bradstreet case, the court ruled that data subjects can request information about the decision-making logic. The responsible body must explain which data was used and how, for example by illustrating how other inputs would have influenced the result. A detailed algorithm alone is not sufficient. Trade secrets may not be used to shield the right to information across the board; requested information must be submitted to the authorities for review.

BGH: Back in 2014, the BGH ruled that SCHUFA must disclose which data it ‘feeds’ into its scoring system and what the result is – but not the specific calculation method (algorithm) used to arrive at the result. In June 2021, the BGH ruled in general that the right to information under Art. 15 GDPR must be interpreted broadly in a manner favourable to the data subject: internal notes and emails must also be disclosed. A decision on information in the specific SCHUFA situation is still pending.

BVerfG: The Federal Constitutional Court has confirmed the fundamental right to informational self-determination in general case law (e.g. in the census ruling). This means that individuals must be involved in fundamental decisions that affect them (such as credit ratings). There is no recent specific constitutional ruling on SCHUFA.

Practical tips for those affected when dealing with SCHUFA entries

  • Obtain self-disclosure: Those affected should request their free SCHUFA self-disclosure (Art. 15 GDPR) and check all stored data. Make sure that only correct claims are listed (according to Section 28a BDSG, e.g. only undisputed claims that have been reminded twice (The Hessian Data Protection Commissioner)).
  • Request correction and deletion: If you find errors or old data entries, you can request correction or deletion in accordance with Art. 16/17 GDPR. SCHUFA is legally obliged to correct or remove incorrect data. If, for example, an outstanding claim has been settled, SCHUFA must be informed immediately and the entry deleted.
  • Request information about scoring: In accordance with Art. 15 (1) h GDPR, if a decision is based on the score, you are entitled to information that an automated decision-making process has taken place. You are entitled to a comprehensible explanation of how your score was calculated (Art. 15 GDPR – Right of access by the data subject). In particular, according to ECJ case law, you have the right to know which criteria were decisive and how different data would have changed the result.
  • Objection and temporary blocking: As long as you are having the legality of an entry checked (e.g. if you object to a decision by SCHUFA), SCHUFA must block the entry and may not pass it on. This strengthens your position: banks and retailers may not access this data during the review.
  • Early deletion after payment: Due to SCHUFA’s current voluntary commitment, fully paid claims can be deleted after 18 months under certain circumstances (instead of the previous 3-year period). If necessary, ask specifically about this or request early deletion as part of your information request.
  • Legal remedy and compensation: If you do not receive any information despite your objection or if unlawful data remains, administrative legal action (legal action before the competent data protection court) may be necessary. In the case of inadmissible SCHUFA entries, compensation may also be possible – courts have awarded sums of between approximately £100 and £5,000), e.g. for lost credit opportunities or increased interest costs.

🔍 SCHUFA scoring & data protection law

  • ‘Schufa scoring under fire: How the ECJ is strengthening consumer rights against automated decisions’
  • Analysis of the ECJ ruling on the admissibility of automated credit ratings and their impact on consumer rights. (schufa archive – Dr Thomas Schulte, lawyer)
  • ‘Schufa scoring at 100? Secrets, challenges and an overview’
  • Explanation of how the SCHUFA score works, its significance for credit decisions and the underlying data processing. (Schufa scoring at 100? Secrets, challenges and the …)

🗑️ Deletion periods & storage practices

⚖️ Debt collection & legal framework

🧾 Dealing with SCHUFA entries