The credit scoring company must inform the persons concerned

(Translated by DeepL)

Even if the company carrying out the credit scoring is not the company that ultimately decides whether to grant a loan, it takes an automated individual decision and must therefore inform the data subject (CJEU ruling of December 7, 2023 in case C-634/21, SCHUFA Holding AG).

Following the refusal of a loan by a bank, a German national requested various items of information from SCHUFA, the leading German company for credit checks. The refusal of the loan was justified on the basis of negative information drawn up by SCHUFA and passed on to the bank. In particular, the applicant would like to know what information is taken into account when calculating his credit score, and how it is weighted. SCHUFA refuses on the grounds that it is the bank, and not SCHUFA, that makes the decision to grant a loan. The Verwaltungsgericht in Wiesbaden referred a question to the CJEU for a preliminary ruling on whether SCHUFA is subject to the legal regime governing automated individual decisions (AID).

AID is regulated by art. 22 par. 1 of the General Data Protection Regulation (GDPR). Three cumulative conditions must be met for this provision to apply. Firstly, there must be a “decision”. Secondly, this decision must be “based exclusively on automated processing, including profiling”. Thirdly, the decision must produce “legal effects [concerning the data subject]” or affect him “significantly in a similar way”.

With regard to the first condition, the CJEU notes that the notion of “decision” must be broad in scope. In particular, Recital 71 of the GDPR mentions as “decision”, by way of example, the automatic rejection of an online credit application or online recruitment practices without any human intervention.

Regarding the second condition, SCHUFA’s activity meets the definition of “profiling”. Indeed, SCHUFA carries out the automated establishment of a probability value for a person and his or her ability to honor a loan in the future. The second condition is thus met.

Finally, the CJEU considers that this probability value affects the person concerned in a significant way.

Consequently, SCHUFA does indeed make automated individual decisions.

The CJEU then recalls the consequences of the existence of an AID. Art. 22 par. 1 RGPD introduces a prohibition in principle on AIDs. The data controller must therefore prove that he is in the exceptional regime provided for by art. 22 par. 2 RGPD. He may thus adopt an AID when it is necessary for the conclusion or performance of a contract (let. a), when it is authorized by Union law or the law of the Member State to which the controller is subject (let. b), or when it is based on the explicit consent of the data subject (let. c).

Accordingly, the Court concludes that the German court will have to verify whether SCHUFA can indeed rely on an exception in order to take AID.

In its judgment, the Court justifies its reasoning with an additional argument. In its view, there would be a risk of circumventing Art. 22 RGPD if a restrictive interpretation of this provision were adopted, namely that the establishment of the probability value, in casu established by SCHUFA, must only be considered a preparatory act and only the act adopted by the third party, in casu the bank, can be qualified as a “decision”. According to the CJEU, the bank’s choice to grant credit is decisively guided by this probability value. Furthermore, the bank would not be in a position to provide the specific information due under art. 22 RGPD, as it generally does not have it.

This reasoning is not convincing. According to this logic, any company that performs an automated customer classification, which would then be decisive for a contractual partner to decide whether to grant a service, would already be taking an AID. The company would therefore have to inform the individuals concerned directly, even if it is the partner who ultimately makes the decision for them.

However, it is the partner, i.e. the bank, who is free to decide whether or not to grant a loan. If the decision is based solely on the classification of the third party, the partner issues an AID. He cannot then release himself from his information obligations by claiming that he is basing himself on information transmitted by a third party, or that he does not have the relevant information to respond to requests for access from the persons affected by the decision (art. 15 par. 1 let. h RGPD). He must necessarily provide, by contractual means, access to the information necessary to comply with his legal duties.

What about Switzerland ?

The Swiss legislator has adopted the same concept of AID as that examined above. This case law could therefore be relevant in determining whether an AID exists under art. 22 LPD. That said, as pointed out by Simon Henseler, the Federal Council considers that “[t]he calculation of a credit score by an intelligence company does not constitute an automated individual decision within the meaning of the nLPD but a decision aid insofar as the actual decision (refusal of a payment on invoice, for example) lies with the company’s customer” (Report of the Federal Council in response to postulate 16.3682 Schwaab of September 21, 2016, p. 25).

In practice, Swiss companies carrying out credit scoring would now have to comply with the legal regime for AID set out in Art. 22 LPD, pending clarification of the case law. In particular, the violation of the duty to inform in the case of AID, whether intentionally or through malice aforethought, is punishable under criminal law by the individual responsible (art. 60 al. 1 let. b ch. 2 LPD).