SCHUFA Notification according to Art. 14 GDPR

Last revised: July 2020

1. Name and contact details for the controller and the company data protection officer

SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, Tel.: +49 (0) 6 11-92 78 0

The company data protection officer may be reached at the address listed above, attention Data Protection Department or by e-mail at datenschutz@schufa.de.

2. Data processing by SCHUFA

2.1 Purposes of data processing and legitimate interests pursued by SCHUFA or a third party

SCHUFA processes personal data in order to provide authorised recipients with information for assessing the creditworthiness of natural and legal persons. Scores are also determined and transmitted for this purpose. It only makes this information available if a legitimate interest in such information has been credibly presented in a specific case and processing is lawful based on a weighing of interests. There is a legitimate interest in particular prior to entry into transactions that carry a financial risk of default. The creditworthiness check serves to protect recipients from losses in the lending business and at the same time makes it possible to protect borrowers from excessive indebtedness by providing advice. In addition, this data is processed for fraud prevention, legitimacy checks, money laundering prevention, identity and age checks, address identification, customer service or risk management as well as setting rates and conditions. In addition to the purposes referred to above, SCHUFA also processes personal data for internal purposes (e.g., assertion of legal claims and defence in the event of legal disputes, continued development of services and products, research and development, in particular to carry out internal research projects (e.g., SCHUFA Credit Compass) or to participate in national and international external research projects related to the processing purposes referred to above, and to safeguard IT security and operations). The legitimate interest related to the foregoing is based on the respective purposes and is otherwise of an economic nature (e.g., efficient task fulfilment, avoidance of legal risks). Anonymised data may also be processed. SCHUFA will inform you of any changes to the purposes for which data is processed in accordance with Art. 14(4) GDPR.

2.2 Legal bases for data processing

SCHUFA processes personal data on the basis of the provisions of the General Data Protection Regulation and the German Federal Data Protection Act. Processing is carried out on the basis of consent (Art. 6(1)(a) GDPR) and on the basis of Art. (1)(f) GDPR, insofar as processing is necessary in pursuit of the legitimate interests of the data controller, or of a third party, and does not outweigh the legitimate interests or fundamental rights and freedoms of the data subject. Consents can be withdrawn at any time vis-à-vis the respective contractual partner. This also applies to any consent granted before the effective date of the GDPR. The withdrawal of the consent does not affect the lawfulness of personal data processing performed prior to such withdrawal.

2.3 Origin of data

SCHUFA receives some of its data from its contractual partners. These comprise institutions, financial companies and payment service providers domiciled in the European Economic Area and in Switzerland as well as in other third countries (provided that the European Commission has issued a corresponding adequacy decision) that bear a financial default risk (e.g. banks, savings banks, cooperative banks, credit card, factoring and leasing companies) as well as other contractual partners who use SCHUFA products for the purposes specified under Section 2.1, in particular from the (mail order) trade, e-commerce, service, rental, energy supply, telecommunications, insurance or collection sectors. In addition, SCHUFA processes information from generally accessible sources such as public directories and official notices (e.g., debtor directories, insolvency announcements) or from compliance lists (e.g. lists of politically exposed persons and sanctions lists) as well as from data suppliers. SCHUFA may also store personal data provided directly by data subjects following appropriate communication and review.

2.4 Categories of personal data subject to processing

Personal data, e.g., last name (if applicable, also prior last names, which will be provided upon separate request), first name, date of birth, place of birth, address, previous addresses | Information on the initiation and execution of a transaction in accordance with the contract (e.g., current accounts, instalment credits, credit cards, accounts exempt from garnishment, basic accounts) | Information on unfulfilled payment obligations, such as claims that are undisputed, due for payment and repeatedly dunned or claims reduced to judgement and their settlement | Information on abusive or other fraudulent conduct such as identity or credit fraud | Information from generally accessible sources (e.g., debtor directories, insolvency announcements) | Data from compliance lists | Information on whether and in which function an entry on a public figure exists in generally accessible sources with corresponding personal data | Address data | Scores

2.5 Categories of recipients of personal data

Recipients are contractual partners within the meaning of Section 2.3 domiciled in the European Economic Area, in Switzerland and, if applicable, in other third countries (provided that a corresponding European Commission adequacy decision is available for the respective partner). Additional recipients may include external contractors of SCHUFA according to Art. 28 GDPR as well as external and internal SCHUFA bodies. SCHUFA is also subject to the statutory powers of intervention on the part of state authorities.

2.6 Data retention period

SCHUFA stores information about persons only for a certain period. The decisive criterion for determining this duration is the necessity of processing for the purposes described above. Specifically, retention periods are specified in a Code of Conduct for the Association of Credit Bureaus “Die Wirtschaftsauskunfteien e. V.” (available at www.schufa.de/loeschfristen). Information about queries is deleted after exactly twelve months.

3. Rights of data subjects

In relation to SCHUFA, every data subject has the right of access pursuant to Art. 15 GDPR, the right of rectification pursuant to Art. 16 GDPR, the right to erasure pursuant to Art. 17 GDPR and the right to restrict processing pursuant to Art. 18 GDPR. SCHUFA has set up a Private Customer Service Center for requests by data subjects which can be reached in writing at SCHUFA Holding AG, Private Customer Service Center, PO Box 10 34 41, 50474 Cologne, Germany, by telephone at +49 (0) 6 11-92 78 0 and via an inquiry form at www.schufa.de/rueckfrageformular. In addition, it is also possible to contact the supervisory authority responsible for SCHUFA, the Commissioner for Data Protection and Freedom of Information for the State of Hesse. Consents can be withdrawn at any time vis-à-vis the respective contractual partner.

According to Art. 21(1) GDPR, an assertion to data processing may be made
based on the particular situation of the data subject. An objection can be submitted informally and is to be addressed to SCHUFA Holding AG, Privatkunden ServiceCenter, PO Box 10 34 41, 50474 Cologne.

4. Profile development (scoring)

In addition to providing information about data stored about a person, SCHUFA supports its contractual partners in their decision-making process by developing profiles, in particular by means of “scores”. This helps, for example, by making it possible to quickly make everyday credit-related decisions.

The generic term profile development concerns the processing of personal data by analysing certain aspects relating to an individual. Particular importance is attached to “scoring” in the context of credit assessment and fraud prevention. However, scoring can also serve to fulfil other purposes mentioned in Section 2.1 of this SCHUFA Notification. Scoring is the process of forecasting future events and behaviour on the basis of information that has been collected and past experience. An assignment is made to statistical groups of persons who had similar data bases in the past on the basis of personal data maintained by SCHUFA that concern an individual.

In addition to the logistic regression method that has been used for many years in the area of credit scoring, SCHUFA can also use scoring methods from the categories of complex non-linear methods or expert-based methods. It is always of particular importance to SCHUFA that the methods used are mathematically and statistically recognised and scientifically sound. Independent external experts have confirmed the scientific validity of these methods to us. In addition, procedures in use are disclosed to the competent supervisory authority. For SCHUFA, regularly checking the quality and currency of procedures in use, and making appropriate updates, is a matter of course.

Creditworthiness scores are determined by SCHUFA on the basis of data stored by SCHUFA relating to a specific person. These data are likewise shown in the data copy according to Art. 15 GDPR. An assignment is then made to statistical groups of persons who had similar data bases in the past on the basis of personal data maintained by SCHUFA. Stored data is aggregated into so-called data types that may be viewed at ww.schufa.de/scoring-faq in order to determine creditworthiness scores. Additional data types may be included for determining scores for other purposes. Information on nationality or particularly sensitive data in accordance with Art. 9 GDPR (e.g., ethnic origin or information on political or religious attitudes) is not retained by SCHUFA and is therefore not available for profile development. Similarly, the assertion of rights of data subjects based on the GDPR, such as access to data concerning the data subject maintained by SCHUFA under Art. 15 GDPR, has no influence on profile development. In addition, SCHUFA takes the provisions of section 31 Federal Data Protection Act (BDSG) into account when computing a score.

The probability with which a person will repay a mortgage loan, for example, does not have to correspond to the probability with which they will pay a mail order bill on time. For this reason, SCHUFA offers its contractual partners various sector-specific or even customer-specific scoring models. Score are constantly changing, as data stored by SCHUFA is also constantly changing. Thus, new data are added while others are deleted based on retention periods. In addition, the data itself also changes over time (e.g., the duration of a business relationship), so that changes can occur even without new data.

Please note: SCHUFA does not make any decisions itself. It merely supports affiliated contractual partners in their decision-making process by providing information and creating profiles. The decision for or against a transaction, however, is made solely by the direct business partner. This is the case even if it relies solely on the information supplied by SCHUFA. Further information on profile formation and scoring at SCHUFA (e.g., on the procedures currently in use) can be found at www.schufa.de/scoring-faq.