Advocate General says that the automated establishment of a probability concerning someone’s ability to service a loan is profiling under the GDPR

March 22, 2023

The Advocate General has given an opinion in Case
. It concerned proceedings between an individual and Land Hessen. The case related to Schufa, which provides its clients with information on the creditworthiness of third parties.

It provided a credit institution with a score for the individual in question. The credit score was used to refuse the credit for which the individual had applied. The individual subsequently requested that Schufa erase the entry concerning her and to grant her access to the corresponding data. However, Schufa merely informed her of the relevant score and, in broad outline, of the principles underlying the calculation method for the score, without informing her of the specific data included in that calculation or of the relevance accorded to the data in that context, arguing that the calculation method is a trade secret.

The individual argued that Schufa’s refusal breaches data protection rules. The German courts referred the case to the Court of Justice to ask questions about the restrictions which the GDPR imposes on the economic activity of reporting agencies in the financial sector, in particular in data management, and about trade secrets. The Court was also asked to clarify the scope of the regulatory powers which certain provisions of the GDPR confer on the national legislature by way of derogation from the general objective of harmonisation under the GDPR.

Advocate General Priit Pikamäe has now given his opinion. He says that the GDPR establishes a right for an individual not to be subject to a decision based solely on automated processing, including profiling.

The Advocate General also said that the conditions for that right were satisfied because:

  • the procedure at issue constitutes profiling,
  • the decision has legal effects on the person or has similar significant effects; and 
  • the decision is based solely on automated processing.

The Advocate General says that GDPR also provides that the person concerned has the right to confirmation about whether personal data is being processed, as well as other information, e.g. the existence of automated decision-making, including profiling, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the person concerned. He considers that the obligation to provide ‘meaningful information about the logic involved’ must be understood to include sufficiently detailed explanations of the method used to calculate the score and the reasons for a certain results. In general, the data controller should provide the individual with general information, including factors taken into accounts for the decision-making process and on their respective weight on an aggregate level, which is also useful for him or her to challenge any decision under the GDPR, recognising the right not to be subject to a decision based solely on automated processing, including profiling.

The German courts also referred Cases C-26/22 and C-64/22. They related to ensuring the deletion of an entry relating to discharge from remaining debts from Schufa’s records. Insolvency proceedings granted two people early discharge from remaining debts which was recorded online and then deleted after six months. Schufa does not delete the information for three years. The referred questions covered the legal nature of the decision taken by the supervisory authority hearing a complaint and the scope of the judicial review which the court may exercise in the context of proceedings brought against such a decision. The question of the lawfulness of the storage of personal data from public registers by credit information agencies was also raised.

The Opinion states that the lawfulness of processing must be apparent from a balancing of the various interests at stake where the legitimate interests pursued by the controller or by a third party must take precedence. It is for the supervisory authority to ascertain whether those conditions are met. Lastly, if a person decided to seek a remedy against the decisions of the supervisory authority, under the GDPR, it would be for the national courts to carry out an effective judicial review. In the Advocate General’s view, a legally binding decision of a supervisory authority is subject to a full substantive judicial review, to guarantee an effective judicial remedy.

The Advocate General states that, under the GDPR, processing personal data may be lawful if these three conditions are satisfied:

  • the pursuit of a legitimate interest by the data controller or by the third party or third parties to which the data is communicated.
  • the need to process personal data for the legitimate interest pursued, and
  • the fundamental rights and freedoms of the person do not take precedence.

The Advocate General observed that the considerable negative consequences that the storage of data will have on someone after the six-month period would seem to override the commercial interest of the private agency and its clients in storing the data after that period. He pointed out that the discharge granted from remaining debts is intended to allow the beneficiary to re-enter economic life. That objective would be frustrated if private credit information agencies were authorised to store personal data in their databases after the data has been erased from the public register.

The Advocate General takes the view that the storage of data by a private credit information agency cannot be lawful under the GDPR once the personal data concerning insolvency has been erased from public registers. Regarding the six month period where the data is also available in public registers, it is for the referring court to balance the above mentioned interests and effects on the person concerned to decide if the parallel storage of the data by private credit information agencies is lawful on that basis.

Finally, the Advocate General points out that the GDPR provides a data erasure right where someone objects to the processing or where the data has been unlawfully processed. In that situation, the person concerned therefore has the right to obtain from the data controller the erasure of personal data concerning him or her without undue delay. It is for the referring court to examine if, exceptionally, there are overriding legitimate grounds for the processing.