Can Credit Reference Agencies Access Your Personal Data?

On 7 December, the European Court of Justice (CJEU) issued a clarification on the processing of credit ratings and the right of data subjects to request the deletion of such data, which is of relevance for credit rating companies in Lithuania.

The dispute arose in Germany, where a financial institution refused to grant a loan to an individual after SCHUFA, which provides credit ratings for individuals, provided the financial institution with negative information about the prospective loan recipient. The natural person asked SCHUFA to provide him with information about the personal data it processed and to delete the allegedly incorrect data.

In response to this request, SCHUFA informed the individual of its credit rating and outlined the procedure for calculating the score. However, on grounds of commercial secrecy, it refused to disclose the individual data considered in the calculation of those scores and the comparative weight of such data. Finally, SCHUFA stated that it had limited itself to transmitting the data to its contractual partners (the financial institution) and that it was they who took the actual decisions on the loan agreements.

The German court has referred several questions to the CJEU:

  • whether a credit rating company can be considered to be processing personal data by automated means. This question was important in the sense that, if the answer is positive, automated processing of personal data is very limited under the GDPR and such a company has to disclose the reasoning behind the credit rating;
  • how long a private credit rating company can keep individuals’ insolvency data; if it is kept longer than in public registers, whether such a company can rely on legitimate interest;
  • whether the data subject can request the deletion of his/her data from the credit rating company’s database.

On the first question, the court held that a credit rating is an automated processing and therefore the general rule under the GDPR that such processing is not possible unless it falls within the exceptions of Article 22(2) of the GDPR applies:

  • it is necessary for entering into, or performance of, a contract between the data subject and a credit rating company;
  • it is authorised by Union or Member State law to which the credit rating company is subject;
  • it is based on the data subject’s explicit consent.

CJEU made it clear that such data processing is not possible on any other basis, which means that credit rating companies cannot rely on a legitimate interest, as is commonly the practice case.

Secondly, the CJEU stated that, once the retention period in the public insolvency register has expired, the continued retention of such data by a credit rating company cannot be based on a legitimate interest, and that such companies cannot therefore keep such data for longer than the period for which such data are kept in the public registers.

Thirdly, the data subject has the right to have his or her personal data erased without undue delay by credit rating companies if he or she does not consent to the processing of his or her personal data and there are no overriding legitimate reasons that may exceptionally justify such processing.

This interpretation by the CJEU is based on the fact that the unjustified processing of insolvency data (even if historical), and in general the uncontrolled collection of various data to create a credit rating, is unjustified, as the data subject must be seen to be in a position to re-enter economic life despite past debts, while the processing of historical data is a negative factor which may affect future decisions about that person.

Prepared by ECOVIS ProventusLaw Certified Data Protection Expert, Associate Partner Brigida Bacienė

Newsletter SubscriptionGet in touch