In its judgment dated 7 December 2023 (C-634/21 – Schufa) presented by the Administrative Court Wiesbaden (Germany), the court held that Article 22 of the GDPR (Art. 22 GDPR) applies also to probability values that are created by credit scoring agencies on the basis of personal data and used by third parties in order to decide whether the respective individual is eligible for a credit or establishing a contract.
The court affirmed by this judgment that it is not required under Art. 22 GDPR that the generated value automatically leads to such a direct legal decision but that it is rather sufficient that the individual is factually rendered ineligible due to the score and receives a respective decision by the company relying on the value. Section 31 of the German Data Protection Act (Sec. 31 BDSG) imposes specific requirements on the use of such values by companies, providing an exception to the general rule of Art. 22 GDPR that such “automated” decisions are prohibited. This decision will on the one hand have a material impact on the practice of scoring agencies and companies relying on the scores but will as an indirect result also raise questions regarding the compliance of Sec. 31 BDSG with GDPR permitting national deviations only in very limited scenarios while observing strict requirements. Full text here.