German Court asks CJEU to clarify whether calculating consumer credit scores falls within the scope of automated decision-making under GDPR | Allen & Overy LLP

On 25 October 2021, the Administrative Court docket of Wiesbaden (the Court docket) introduced its choice, issued in early October, to submit two inquiries to the Court docket of Justice of the European Union (CJEU) relating to the scope of the protections underneath Article 22 (1) GDPR in opposition to computerized decision-making and profiling within the context of calculating a person’s credit score scores (case no. 6 Okay 788/20.WI).

The case pertains to a declare of a person in opposition to the personal credit score report company SCHUFA Holding AG (SCHUFA) after the person was refused a mortgage primarily based on a low rating offered to a financial institution by SCHUFA. SCHUFA and different credit standing companies counsel that they merely calculate the scores for analysis of creditworthiness of people, predict, primarily based on this rating and different traits of the person, the likelihood of future behaviour (e.g. the compensation of a mortgage), and share this data with its shoppers (corresponding to banks). Credit standing companies counsel that by calculating the rating and sharing it with their shoppers they merely profile the people, and don’t undertake any automated selections within the that means of Article 22 GDPR, because the precise selections about people are made by their shoppers.

The person requested SCHUFA to supply entry to data held about her and delete sure entries from its database. SCHUFA knowledgeable the person about her rating and offered primary data on the functioning of its rating calculation, however didn’t disclose the small print on which information have been considered and the way they have been weighted claiming that such data is protected as enterprise secrets and techniques and thus don’t have to be disclosed. The person complained to the Hessian State supervisory authority (Hessian DPA), which rejected the criticism on the premise that SCHUFA typically complies with Part 31 of the German Federal Information Safety Act (BDSG), regulating the calculation and use of scores intimately, and with pre-GDPR case regulation and that there isn’t any indication that within the particular person case SCHUFA didn’t adjust to these necessities, concluding that the rating calculation methodology doesn’t should be disclosed. The person initiated courtroom proceedings in opposition to the Hessian DPA and SCHUFA.

The Court docket thought of the case and determined to revert to the CJEU to make clear whether or not the calculation by credit score companies of a person’s credit score rating and disclosure of this rating to 3rd events (corresponding to banks) with out additional remark or suggestion would fall inside the scope of Article 22(1) GDPR. The Court docket thought of it was controversial that the creation of rating represented an impartial “choice” inside the that means of Article 22 GDPR. It famous that although a special choice might be, in precept, made by the credit score company’s shopper (e.g. by a financial institution, telecommunication supplier or a landlord to enter right into a contractual relationship with the person), and that shopper doesn’t need to make its choice solely depending on the rating worth (noting examples when people with good rating are nonetheless refused a mortgage), in apply the credit score scores play a decisive position in granting loans and setting up the mortgage situations, and inadequate rating values result in refusals of client loans in virtually all circumstances.

As well as, the Court docket requested the CJEU to think about whether or not Part 31 BDSG (regulating the calculation and use of scores intimately) was suitable with the GDPR, noting that by attaching additional substantive admissibility necessities to credit score scoring, the German legislature stepped outdoors the boundaries for nationwide derogations accessible underneath GDPR for authorized bases.

That is the second case regarding SCHUFA that the Court docket submitted to the CJEU this 12 months. On the finish of August the Court docket submitted a case regarding SCHUFA’s storage of knowledge on discharge of residual debt (case no. 6 Okay 226/21.WI). The press launch of the Court docket about this case is offered here (solely in German). While the Hessian DPA seemingly made peace with SCHUFA in recent times, aligning intimately on its credit score rating calculation methodology and transferring away from the pre-GDPR consent requirement for submitting and receiving information from SCHUFA, the Court docket seems extra sceptical. Given the widespread use of SCHUFA scores in day-to-day commerce, the choice by the CJEU and the next choice of the Court docket can have big sensible implications on contracts in Germany, along with clarifying the scope of utility of Article 22(1) GDPR.

Learn the Court’s press release in regards to the case (solely in German) and The CJEU case file (the questions, in full, aren’t accessible on the time of issuing this Replace).