The specific case was submitted to the European Court of Justice (ECJ) by the Wiesbaden Administrative Court: A customer did not get a loan because her Schufa rating was too bad. She had requested Schufa access to her data, but only received the score value and general information about the calculation. It is not known exactly how the score is calculated. The negotiation was therefore about a fundamental question: To what extent does the scoring model violate EU data protection rules?

Schufa Holding AG is a private company. The credit agency collects and stores consumer data and creates a credit score on this basis. According to its own information, Schufa has information on 68 million people in Germany. The score says something about a person’s creditworthiness and often has a major influence on whether someone gets a contract or loan – as was the case with the customer in question. Banks and savings banks require the score, but so do other companies that offer energy and cell phone contracts, for example.

Consumers can hardly escape the scoring. In many cases, you have to agree to have your creditworthiness checked by Schufa before concluding a contract so that a contract can even be concluded.

Schufa’s current scoring procedure violates the General Data Protection Regulation (GDPR) – under one condition: The Schufa score must be a decisive criterion in the contractual partner’s decision, for example whether the bank will grant a loan or not. In the plaintiff’s case, it must be assumed that the score was decisive, the judges said. The automated collection of data could discriminate against people and is therefore unlawful. The EU General Data Protection Regulation prohibits precisely this automated recording if it has legal consequences for the individual.

The ECJ has shown Schufa clear limits. The case described above must now be finally heard in Wiesbaden, because the ECJ ruling initially refers to European law. However, it is likely that the German law violates the European one.

Until it is finally clarified, the judgment will have no concrete consequences. However, it is considered groundbreaking because the basis for higher transparency requirements has now been created. It now needs to be explained how the data processing works.

The Federal Association of Consumer Advice Centers (Vzbv) therefore assesses the judgment as fundamentally positive. “So far, credit reporting agencies have only had to provide very limited information about their scoring process,” says Johannes Müller from Vzbv to Capital. The ruling has now set the course for more transparency. “Consumers must now be informed about the logic of the procedure. The goal must be a comprehensible scoring result.” Müller does not believe that companies will become more suspicious as a result of the ruling and will reject customer applications more often.

The Finanzwende association also considers the ECJ ruling to be correct. “The power of Schufa is crumbling – it’s about time,” says Michael Möller, consumer protection expert at Finanzwende. “Schufa only ever reveals parts of its scoring process and otherwise relies on trade secrets,” says Möller. This has little to do with the transparency offensive that the company has promised. “It follows from the court decision that it is in favor of the argument There are limits to ‘trade secrets’ – where they affect the interests of consumers.”

Schufa itself generally welcomes the ruling because it provides clarity. However, it does not intend to restrict its business practices for the time being, it said in a statement. In it, she questions the assumption that the score plays a significant role in corporate customers’ decisions about whether or not to offer certain services to consumers. “The overwhelming feedback from our customers is that payment forecasts in the form of the Schufa score are important to them, but are generally not the only decisive factor in concluding a contract,” says Schufa.

In a second case, the ECJ also decided on the question of how long credit agencies may store data from public directories such as insolvency registers. Until now, Schufa and Co. often stored data on personal insolvencies for up to three years. The judges had to decide whether Schufa was allowed to do this and whether it could store data longer than the courts. The lawyers’ answer: No, it would violate the GDPR if private credit agencies stored such data longer than public insolvency registers. The residual debt exemption granted is intended to enable the person concerned to participate in economic life again; However, this is always used as a negative factor when assessing creditworthiness.

Schufa had already changed this practice in the spring of this year after the Advocate General at the ECJ had already made very critical comments about the storage time in his report in March. As a result, Schufa and the private credit agency Creditreform voluntarily shortened the storage period for the entries from three years to six months.

This article first appeared on Capital