Bytesize Legal Updates - Understanding the Impact of the landmark SCHUFA Judgment
Locations
In our latest episode of the Bytesize Legal Updates podcast, Megan Ward and Flick Fisher delve into a landmark judgment recently issued by the Court of Justice of the European Union (CJEU) against SCHUFA. SCHUFA 1 is one of the first European court decisions that considers what amounts to automated decision-making within the meaning of Article 22 of the GDPR. On the same day, the CJEU also handed down a related judgment, SCHUFA 2, which underlines the importance of ensuring lawful use and limited retention of public registry data by commercial organizations.
The Significance of SCHUFA 1 - Evaluating Automated Decision-Making under GDPR
In the first judgment, SCHUFA 1, the CJEU examined the concept of automated decision-making under Article 22 of the General Data Protection Regulation (GDPR). SCHUFA, a leading private credit agency in Germany, faced a complaint regarding its refusal to grant a loan based on an individual's credit score. The key question was whether SCHUFA's scoring process constituted automated decision-making within the scope of Article 22. The CJEU's ruling clarified the broad interpretation of what constitutes automated decision-making, emphasizing that even if a third party takes the final decision, the generation and use of algorithmically driven scores fall within the ambit of Article 22.
Exploring the Implications of SCHUFA 2 - Retaining Public Registry Data for Commercial Purposes
The second judgment, SCHUFA 2, focused on SCHUFA's practice of retaining information from public registries, specifically the German Insolvency Register. SCHUFA's customers, typically banks, used this information to assess an individual's creditworthiness. However, the retention period employed by SCHUFA differed from the one prescribed by German law for the public registry. The CJEU's ruling emphasized the need to balance the rights and interests of the data subject, stating that private organizations should not retain public registry data for longer than the period set by the public register.
Key Takeaways for Businesses and Service Providers
Here are some key takeaways from the SCHUFA judgments:
1. Compliance with Article 22: If your organisation generates algorithmically driven scores with potential legal impacts such as the denial of a contract, etc, but this information is passed to a third party to action the decision-making, your organisation will not avoid the applicable of Article 22, GDPR.
2. Balancing Interests: When processing public registry data be mindful of the balancing test required under GDPR. Just because data is publicly available does not automatically justify its unrestricted retention. Consider the interests of the data subject and adhere to any prescribed retention periods.
Conclusion:
The CJEU's rulings demonstrate its expansive scope of automated decision-making under Article 22 of the GDPR and underlines the importance of ensuring lawful use and limited retention of public registry data by commercial organizations. Staying informed and adapting practices accordingly is crucial to maintaining compliance and protecting individuals' privacy.