Today, 7 December 2023, the Court of Justice of the European Union (CJEU) delivered its judgment in the case C-634/21, SCHUFA Holding (Scoring).
In this case, a private credit agency (Credit Agency) has provided a credit institution (Institution) with a score on a natural person, which constituted the reason for refusing to grant her access to the credit.
The CJEU ruled that the automated establishment by the Credit Agency of a probability value concerning the ability of a natural person to benefit from a loan constitutes an automated decision under Article 22 of the GDPR (Automated Decision) and not merely a preparatory act for taking an Automated Decision. This is applicable when such probability value is communicated to a third party (in this case, the Institution) which decisively relies on it in its decision to establish, implement or terminate a contractual relationship with that person.
Note: In this case, the referring court explained that, even if the decision of the Institution must not depend solely on the scoring provided by the Credit Agency, it is usually the determining factor. Thus, even if providing the loans by the Institution may be refused based on a sufficient credit score, an insufficient credit score would nearly always (in case of consumer loans) lead to a refusal to grant the loan, even when an investment otherwise appears to be profitable.
Furthermore, in line with the previous findings of the Advocate General, the CJEU confirmed that the Institution is not obliged to provide the data subject with the information under Article 15(1)(h) of the GDPR regarding the automated decision of the Credit Agency on creditworthiness, as the Institution does not hold this information (see para. 63).
Finally, the CJEU also stated that it is not contrary to the GDPR for an EU Member State to adopt national provisions establishing other types of automated decisions than those falling under Article 22 of the GDPR (as is the case in Germany). However, even in this case, these decisions must comply with the provisions of the GDPR, including the principles set out in Article 5 and the conditions for establishing a basis for processing under Article 6.
Note: In interpreting Article 22, the CJEU referred to its reasoning in another recent case, Pankki S, according to which, when interpreting a provision of the EU law, account must be taken not only of its wording, but also of the context in which it exists and the aims and purpose of the act of which it forms part (see our brief summary of the case here).