AG CJEU addresses data subject rights and automated decision-making by credit rating agencies
Browse this blog post
Related news and insights
Blog Post: 25 May 2023
Publications: 25 May 2023
Blog Post: 24 May 2023
Blog Post: 17 May 2023
The cases relate to the data subject’s right to obtain meaningful information from credit agencies on creditworthiness scores (including the calculation method for such scores), to demand erasure of older debt-related information from credit agency databases, and to challenge in court the decisions of national supervisory authorities considering such issues.
The first SCHUFA case concerned automated decision-making and the right to obtain meaningful information about the logic involved. The AG concluded the following:
- The conditions for the GDPR right for the data subject not to be subject to a decision based solely on automated processing (including profiling) were satisfied in this case as:
- SCHUFA’s procedure for calculating creditworthiness, which involves automatically establishing a probability value concerning the ability of a person to repay a loan in the future, constitutes profiling and a decision solely based on automated processing; and
- SCHUFA’s decision produces legal effects concerning that person (or similarly significantly affects him or her), as that probability value to repay a loan in the future is determined by processing personal data relating to that person and transmitted to a third party controller, and that third party controller (in accordance with consistent practice) draws strongly on the value for the decision whether to enter, implement or terminate a credit agreement with that person.
- The obligation under the GDPR to provide ‘meaningful information about the logic involved’ must be understood to include sufficiently detailed explanations of the method used to calculate the score and the reasons for a certain result. In particular, the controller should provide the data subject with information on the factors taken into account for the decision-making process and on their respective weight at an aggregate level, which will be helpful to the data subject for challenging any decisions (such as those based on automated processing) under the GDPR.
The second and third SCHUFA cases concerned the rights to erasure and judicial redress. SCHUFA refused to delete entries about the early discharge of debts in insolvency proceedings in respect of two individuals from its databases. Official information about the early discharge of the debt was deleted after six months, but SCHUFA insisted on storing the same information for three years. The individuals complained to the national supervisory authority (DPA) and subsequently challenged the DPA decisions in court. The courts asked the CJEU about the nature of the DPA decisions and the scope of the judicial review of such decisions. The AG recommends the following answers:
- The AG believes that it is up to the national supervisory authority to decide whether all conditions of the GDPR are met by SCHUFA (including balancing the various interests at stake by the controller in deciding the lawfulness of processing) and whether there is an alleged violation of data subject rights.
- However, a legally binding decision of a national DPA must be subject to a full substantive judicial review.
- The AG finds the “considerable negative consequences that the storage of data will have on the person concerned after the period of six months” overrides the commercial interest of the private agency and its clients in storing the data after that period. The discharge from debt is intended to allow the individual to re-enter economic life, and that objective would be frustrated if private credit information agencies were authorised to store personal data in their databases after the data has been erased from the public register. The continued storage of that data was therefore not lawful.
- During the six months where the data is available on public registers, it is for the referring court to balance the interests of all parties at stake and impacts on the individual in order to determine whether the data’s parallel storage by private credit information agencies is lawful.
- The data subject concerned has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay. It is for the referring court to examine if, exceptionally, there are overriding legitimate grounds for the processing.