Status: June 2018
1. Name and contact details of the responsible body and its Data Protection Officer
SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, Tel.: +49 (0) 6 11-92 78 0
SCHUFA’s Data Protection Officer can be reached by contacting the Data Protection Department at the above address or via email at firstname.lastname@example.org.
2. Data processing by SCHUFA
2.1 Purpose of data processing and legitimate interests pursued by SCHUFA or a third party
SCHUFA processes personal data to provide authorised recipients with information regarding the creditworthiness assessment of natural persons and legal entities. This also involves the calculation and exchange of scores.
SCHUFA only makes this information available when legitimate interest has been credibly expressed in each individual case and all interested parties consider the processing of such data to be permissible. Such interest is particularly legitimate before business transactions with a risk of financial default. Credit assessments are designed to protect lenders against loss on loans, while making it possible to advise and protect borrowers against excessive debt.
Data is also processed to prevent fraud, assess trustworthiness, prevent money laundering, verify age and identity, look up an address, provide customer service, carry out risk management, and to determine pricing and conditions. SCHUFA shall make its customers aware of any changes made to the purpose of data processing in accordance with Art. 14 Par. 4 of the GDPR.
2.2 Legal grounds for data processing
SCHUFA processes personal data on the basis of the provisions of the General Data Protection Regulation.
Data is processed on the basis of both customer consent and Art. 6 Par. 1 f of the GDPR, insofar as the data processing is required to defend the legitimate interests of the responsible body or a third party and does not outweigh the interests or fundamental rights and freedoms of the affected parties requiring the protection of personal data. Consent given to respective contractual parties may be revoked at any time. This also applies to any consent given before the GDPR entered into force. If consent is revoked, this shall not affect the legality of any personal data processed before such revocation took place.
2.3 Source of Data
SCHUFA receives data from its contractual partners. These are institutions, financial companies and payment service providers located in the European Economic Area, Switzerland and any other third countries (provided the European Commission
has declared such countries as appropriate). Such contractual partners either bear the risk of financial default (e. g. banks, savings banks, credit unions, credit card companies, factoring firms and leasing companies) or use SCHUFA’s products for the purposes listed in Section 2.1, especially including companies in the mail order, trading, e-commerce, service, rental, energy, telecommunications, insurance and debt collection sectors. SCHUFA also processes data from generally accessible sources, such as public registers and official announcements (debtor registers and insolvency announcements).
2.4 Categories of personal data processed (personal details, payment history and compliance with contracts)
- Personal details, e. g. surname (including any previous names reported following a separate request), first name, date of birth, birthplace, address, previous addresses
- Information regarding the initiation and contractual execution of a financial transaction (e. g. current accounts, instalment loans, credit cards, accounts exempt from attachment and basic accounts)
- Information regarding undisputed and payable claims for which reminders have repeatedly been given or a judicial enforcement has been made, and the settlement of such claims
- Information regarding improper or otherwise fraudulent behaviour, such as identity fraud and fraudulent declarations of creditworthiness
- Information from public registers and official announcements
- Credit scores
2.5 Categories of personal data recipients
Recipients are contractual partners located in the European Economic Area, Switzerland and any other third countries (provided the European Commission has declared such countries as appropriate), as outlined in Section 2.3.
Other recipients may include SCHUFA’s external contractors in accordance with Art. 28 of the GDPR, and SCHUFA’s internal and external departments. SCHUFA is also subject to government agencies’ statutory powers of intervention.
2.6 Duration of data retention
SCHUFA only stores personal data for a particular amount of time. This amount of time is determined by the necessity of such information. SCHUFA has set deadlines to evaluate the need to continue storing or delete personal data. Personal data shall then be retained, in principle, for exactly three years following the date of completion. Exceptions to this rule include the deletion of:
- Enquiry details after exactly twelve months;
- Information regarding trouble-free contractual data for accounts documented without the pertinent claim (e. g. current accounts, credit cards, telecommunications accounts and energy accounts), information regarding contracts that require evidence-based verification by law (e. g. accounts exempt from attachment and basic accounts), and guarantees and trading accounts in credit, immediately following the termination notice;
- Data from the debtor registers of central courts of execution after exactly three years, or earlier if the central court of execution provides SCHUFA with evidence to prove the data has been deleted;
- Information regarding consumer/insolvency proceedings or residual debt exemption proceedings exactly three years following the termination of the insolvency proceedings or granting of the residual debt discharge. Data may be deleted even earlier in specific individual cases;
- Information regarding cases in which an application to file for insolvency proceedings has been rejected due to a lack of assets, security measures have been repealed or a residual debt discharge has not been granted, after exactly three years;
- Previous home addresses shall be stored for exactly three years; it shall then be assessed whether this data needs to be stored for another three years. The data shall then be deleted on the exact date unless it needs to be stored even longer for identification purposes.
3. Rights of affected parties
All persons on whom SCHUFA collects information have the right to access this personal data in accordance with Art. 15 of the GDPR, to rectification in accordance with Art. 16 of the GDPR, to erasure according to Art. 17 of the GDPR, and to
the restriction of processing in accordance with Art. 18 of the GDPR. SCHUFA has set up a Customer Service Centre to deal with the issues of affected parties. This can be contacted by mail at SCHUFA Holding AG, Privatkunden ServiceCenter, Postfach 10 34 41, 50474 Köln, by phone on +49 (0) 6 11-92 78 0 and via an online form at www.schufa.de. It is also pos- sible to get in touch with SCHUFA’s regulatory authority, the Data Protection Officer for the State of Hesse. Consent given to a particular contractual partner may be revoked at any time.
|Art. 21 Par. 1 of the GDPR governs that consent for data processing may be revoked for reasons related to the specific circumstances (e.g. witness protection, women`s shelter) of an affected party. |
Such revocations may be lodged informally and should be addressed to: SCHUFA Holding AG, Privatkunden ServiceCenter, Postfach 10 34 41, 50474 Köln.
4. Profiling (Scoring)
SCHUFA-Credit Reports can be complemented with so-called “Scores”. Scoring involves the collection of past information and experiences to predict future events. SCHUFA calculates all scores based on the information it has stored on the affected parties, and this information shall also be identified in Credit Reports in accordance with Art. 15 of the GDPR. SCHUFA also observes the provisions of Section 31 of the BDSG during the scoring process. The data entries saved for particular persons are used to assign them to statistical groups of individuals who have had similar entries in the past. The process used is called “logistic regression” and is a sound, tried-and-tested, mathematical-statistical method used to forecast risk probability.
SCHUFA uses the following types of data to calculate its scores (although not every data type is included in each individual scoring process): general information (e. g. date of birth, gender and number of addresses used for the business transaction); payment problems to date; borrowing activity last year; use of loans; credit history length; and address information (only when a small amount of personal credit data can be collected). Certain information is neither saved nor taken into account during the scoring process in accordance with Art. 9 of the GDPR, e. g. details on a person’s nationality and particular types of personal data like ethnicity or political and religious beliefs. The assertion of rights contained in the GDPR, such as the inspection of SCHUFA’s stored information pursuant to Art. 15 of the GDPR, shall have no impact on the scoring process.
The submitted scores support contractual partners in their decision-making and risk management processes. A person’s creditworthiness and the associated level of risk shall then be assessed by the direct business partner alone as the
sole holder of extensive additional information, such as the details of a loan application. This shall also apply if the direct business partner relies exclusively on the information and scores provided by SCHUFA. In any case, the conclusion of a contract cannot be refused purely on the basis of a SCHUFA-Score.
More information on the scoring process for SCHUFA-Credit Reports and the detection of notable circumstances can be found at www.scoring-wissen.de.