Status: December 2018
1. Name and contact information for the controller as well as the company data protection officer
SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, Tel.: +49 (0) 6 11-92 78 0
The SCHUFA company data protection officer may be reached at the address listed above, attn. Department of Data Protection or by email at firstname.lastname@example.org.
2. Data processing by SCHUFA
2.1 Purpose of data processing and legitimate interests pursued by SCHUFA or a third party
SCHUFA processes personal data in order to provide recipients with a legitimate interest information needed to evaluate the creditworthiness of individuals and legal entities. Scores are calculated and provided to this end. It only provides information if a legitimate interest in such information is credibly shown in a particular case and processing such information is permissible upon weighing all interests concerned. Without limitation, a legitimate interest in present upon entering into transactions with a financial default risk. A credit assessment serves to protect the recipient against losses in the lending business and, at the same time, provides an opportunity to protect borrowers from unreasonable indebtedness by providing counselling. Furthermore, data is processed for purposes of fraud prevention, integrity assessment, money laundering prevention, identity and age verification, address location, customer service or risk management as well as tariff classification and assessing conditions. Pursuant to Art. 14 (4) GDPR, SCHUFA will provide information regarding any changes to the purposes for which it processes data.
2.2 Legal bases for data processing
SCHUFA processes personal data on the basis of the provisions of the General Data Protection Regulation. Data is processed on the basis of consent as well as on the basis of Art. 6 (1) (f) GDPR provided that processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Consents may be revoked at any time by declaration to the relevant contractual partner. This applies in like manner to consents provided prior to the effective date of the GDPR. The revocation of consent does not affect the legality of personal data processed prior to revocation.
2.3 Data sources
SCHUFA receives its data from its contractual partners. They are institutions, finance companies and payment service providers domiciled in the European Economic Area and Switzerland as well third countries as applicable (to the extent an adequacy decisions from the European Commission is available) that are exposed to a financial default risk (e.g. banks, savings banks, cooperative banks, credit card, factoring and leasing companies) as well as additional contractual partners who use SCHUFA products for the purposes described in section 2.1, in particular (mail order) retailers, e-commerce companies, service providers, leasing, energy supply, telecommunications, insurance or collections companies. Furthermore, SCHUFA processes information from generally accessible sources such as public registries and official publications (e.g. debtor registers, insolvency announcements).
2.4 Categories of personal information that is processed (personal data, payment history and contractual compliance)
- Personal data, e.g. surname (if applicable prior names that may be provided upon special request), given name, date of birth, place of birth, address, prior addresses
- Information regarding the initiation and execution of a transaction in accordance with the contract (e.g. Giro accounts, instalment loans, credit cards, garnishment-exempt accounts, basic accounts)
- Information regarding undisputed, past-due claims subject to repeated dunning or reduced to judgement and their resolution
- Information regarding abusive or otherwise fraudulent activities such as identity theft or credit rating
- Information from public registries and official publications
2.5 Categories of recipients of personal data
Recipients comprise contractual and business partners listed in section 2.3 domiciled in the European Economic Area and Switzerland as well other third countries as applicable (to the extent an adequacy decision from the European Commission is available for such countries). Additional recipients may include external contractors pursuant to Art. 28 GDPR as well as external and internal SCHUFA recipients. SCHUFA is furthermore subject to the statutory powers of intervention held by public authorities.
2.6 Duration of data storage
SCHUFA stores information about persons only for a certain period.
Necessity is the decisive factor for defining this period. SCHUFA has established standard periods for a review of necessity for further storage and/or deletion of personal data. Based on these rules, the general storage period for personal data is three years from the date of their transaction. The foregoing notwithstanding, examples of other deletion periods include:
- Information regarding enquiries twelve months to the date
- Information regarding trouble-free contractual data related to accounts that are documented without the associated claim (e.g. Giro accounts, credit cards, telecommunications accounts or energy accounts), information regarding contracts for which an evidential review of provided by law (e.g. accounts exempt from garnishment, basic accounts) as well as guarantees and trading accounts that are maintained on the credit side, immediately after notification of termination.
- Data from debtor registers of the central enforcement courts three years to the day, however earlier if SCHUFA is shown evidence of deletion by the central enforcement court
- Information on consumer/insolvency proceedings or residual-debt exemption proceedings three years to the day following termination of the insolvency proceedings or issuance of a residual debt exemption. Deletion may be also be performed at an earlier date as specially warranted in specific cases.
- Information regarding the rejection of an insolvency petition due to a lack of assets, the suspension of a stay or the failure of the residual debt exemption, three years to the day
- Personal prior addresses remain stored for three years to the day; a review of the necessity of an additional three years of storage is conducted thereafter. Thereafter, they are deleted three years to the day provided that a longer storage period is not required for identification purposes.
3. Rights of the data subject
In relation to SCHUFA, every person concerned has the right of access under Art. 15 GDPR, the right of rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR and the right to restrict processing under Art. 18 GDPR. SCHUFA has set up a consumer service centre for the concerns of data subjects. It may be reached in writing at SCHUFA Holding AG, Privatkunden ServiceCenter, Postfach 10 34 41, 50474 Cologne, by telephone at +49 (0) 6 11-92 78 0 and via an online form available at www.schufa.de. Furthermore, it is also possible to contact the supervisory authority responsible for SCHUFA, the Commissioner for Data Protection of Hesse. Consents may be revoked at any time by declaration to the relevant contractual partner.
|We are obliged to inform you that, according to Art. 21(1) GDPR, you can object to data processing on grounds relating to your particular situation (e.g. witness protection, women's shelter). You may submit your objection on an informal basis to SCHUFA Holding AG, Privatkunden ServiceCenter, |
Postfach 10 34 41, 50474 Cologne, Germany.
4. Profile development (scoring)
Before entering into transactions with a financial default risk, Business Partners want to be able to assess, to the greatest extent possible, whether payment obligations assumed can be satisfied. Based on a SCHUFA report, and profiling by means of so-called score values, SCHUFA supports lenders in making decisions and helps them quickly process day-to-day credit transactions. As part of the scoring process, a forecast of future events is created on the basis of information that has been collected and past experience. At SCHUFA, all probability values are calculated on the basis of the information stored by SCHUFA related to a data subject; this information referred to in the report pursuant to Art. 15 GDPR. In addition, SCHUFA complies with the provisions of section 31 BDSG in the scoring process. Entries saved with regard to a person are assigned to statistical groups of persons who had similar entries in the past. Scoring is based on mathematically and statistically recognised and proven methods.
The following types of data are used by SCHUFA to calculate scores, whereby not every data type is included in each specific score calculation: General data (e.g. date of birth, gender or number of addresses used in business transactions), previous payment problems, credit activity last year, credit use, length of credit history and address data (only if little personal credit-relevant information is available). Certain information is neither stored nor taken into account in calculating score values, e.g. information on nationality or particularly sensitive data according to Art. 9 GDPR (e.g. ethnic origin or information on political or religious beliefs). The assertion of rights according pursuant to the GDPR, e.g. the inspection of the information stored at SCHUFA under to Art. 15 GDPR likewise has no influence on score values.
The probability with which a person will repay a mortgage loan need not necessarily correspond to the probability with which they will pay an invoice for a mail order purchase on time. For this reason, SCHUFA offers its business partners a variety of industry-specific score models: so-called SCHUFA Industry Scores. As a rule, they represent the probability of a payment default within 15 months. For specific industries, the period may differ in order to better address the peculiarities of the business models customary in the sector (e.g. telecommunications, mortgage lending). Scores are constantly changing given that the information stored about a person by SCHUFA is subject to change as well. For example, new information is added whereas other information is deleted in line with applicable retention periods. In addition, information itself changes over time (e.g. the duration of a business relationship), so that changes may occur even without considering new information.
Please note: SCHUFA itself does not make any decisions; it only supports its affiliated business partners by providing information for their respective decision-making process. The specific business partner is solely responsible for risk assessment and evaluating creditworthiness due to the circumstance that only they have access to a wide variety of additional information, e.g. information contained in the credit application. This applies even if they rely solely on the information and score values supplied by SCHUFA.
Independent of credit rating scoring, SCHUFA supports its business partners in the form of FraudPreCheck (FPC) by creating profiles for recognising conspicuous facts (e.g. for the purpose of fraud prevention in mail order transactions). For this purpose, inquiries from SCHUFA business partners are analysed in order to examine them for potential anomalies. In addition to inquiries from the past ninety days, which, on the basis of SCHUFA findings, originate from known patterns of manipulation by the person inquired about; this calculation may also include address data, information whether and in which function an entry on a person in public life with matching personal data is included in generally accessible sources, as well as aggregated statistical information from the SCHUFA database. In addition, the inquiry times recorded in each case can also be taken into account when determining the anomaly, whereby SCHUFA assumes that the application was submitted by the person concerned within three hours before the time of inquiry listed.
Taking this information into account, a ten-digit anomaly value (FPC value) between 0 and 1 is determined for each request following the FPC procedure and is sent to the business partner. The smaller the FPC value, the less remarkable the inquiry data; the larger the value, the greater the anomaly. SCHUFA's business partners can use the value to further reduce risk in their business processes.
The significance attached to a specific FPC value for the respective business partner is always a decision for the business partner itself on the basis of the respective risk structure. An increased number of anomalies may, for example, result in the business partner not offering risky payment methods such as purchase on account, but this alone is no reason to reject an application. In addition to the FPC value, business partners also use their own fraud prevention procedures, which are often used in combination Given that a transaction in distance selling can take several steps until the ordered goods are delivered, for example, the business partner can access new information about anomalies in the form of updated FPC values until the transaction is completed.
The inquiry data transmitted by business partners for the purpose of fraud prevention are stored by SCHUFA for 12 months to the day and identified in the data copy (in accordance with Art. 15 GDPR). Furthermore, personal data currently stored by SCHUFA for processing in this procedure are likewise identified. The FPC procedure has no effect on SCHUFA's credit assessment and credit rating scoring.
Additional information about credit rating scoring or the recognition of suspicious situations is available at www.scoring-wissen.de.