2.1 Purposes of data processing and legitimate interests pursued by SCHUFA or a third party
SCHUFA processes personal data in order to provide authorised recipients with information for assessing the creditworthiness of natural and legal persons. Scores are also determined and transmitted for this purpose. It only makes this information available if a legitimate interest in such information has been credibly presented in a specific case and processing is lawful based on a weighing of interests. There is a legitimate interest in particular prior to entry into transactions that carry a financial risk of default. The creditworthiness check serves to protect recipients from losses in the lending business and at the same time makes it possible to protect borrowers from excessive indebtedness by providing advice. In addition, this data is processed for fraud prevention, legitimacy checks, money laundering prevention, identity and age checks, address identification, customer service or risk management as well as setting rates and conditions. In addition to the purposes referred to above, SCHUFA also processes personal data for internal purposes (e.g., assertion of legal claims and defence in the event of legal disputes, continued development of services and products, research and development, in particular to carry out internal research projects (e.g., SCHUFA Credit Compass) or to participate in national and international external research projects related to the processing purposes referred to above, and to safeguard IT security and operations). The legitimate interest related to the foregoing is based on the respective purposes and is otherwise of an economic nature (e.g., efficient task fulfilment, avoidance of legal risks). Anonymised data may also be processed. SCHUFA will inform you of any changes to the purposes for which data is processed in accordance with Art. 14(4) GDPR.
2.2 Legal bases for data processing
SCHUFA processes personal data on the basis of the provisions of the General Data Protection Regulation and the German Federal Data Protection Act. Processing is carried out on the basis of consent (Art. 6(1)(a) GDPR) and on the basis of Art. (1)(f) GDPR, insofar as processing is necessary in pursuit of the legitimate interests of the data controller, or of a third party, and does not outweigh the legitimate interests or fundamental rights and freedoms of the data subject. Consents can be withdrawn at any time vis-à-vis the respective contractual partner. This also applies to any consent granted before the effective date of the GDPR. The withdrawal of the consent does not affect the lawfulness of personal data processing performed prior to such withdrawal.
2.3 Origin of data
SCHUFA receives some of its data from its contractual partners. These comprise institutions, financial companies and payment service providers domiciled in the European Economic Area and in Switzerland as well as in other third countries (provided that the European Commission has issued a corresponding adequacy decision or standard contract clauses have been agreed – these can be read at www.schufa.de) that bear a financial default risk (e.g. banks, savings banks, cooperative banks, credit card, factoring and leasing companies) as well as other contractual partners who use SCHUFA products for the purposes specified under Section 2.1, in particular from the (mail order) trade, e-commerce, service, rental, energy supply, telecommunications, insurance or collection sectors. In addition, SCHUFA processes information from generally accessible sources such as public directories and official notices (e.g., debtor directories, insolvency announcements) or from compliance lists (e.g. lists of politically exposed persons and sanctions lists) as well as from data suppliers. SCHUFA may also store personal data provided directly by data subjects following appropriate communication and review.
2.4 Categories of personal data subject to processing:
Personal data, e.g., last name (if applicable, also prior last names, which will be provided upon separate request), first name, date of birth, place of birth, address, previous addresses | Information on the initiation and execution of a transaction in accordance with the contract (e.g., current accounts, instalment credits, credit cards, accounts exempt from garnishment, basic accounts) | Information on unfulfilled payment obligations, such as claims that are undisputed, due for payment and repeatedly dunned or claims reduced to judgement and their settlement | Information on abusive or other fraudulent conduct such as identity or credit fraud | Information from generally accessible sources (e.g., debtor directories, insolvency announcements) | Data from compliance lists | Information on whether and in which function an entry on a public figure exists in generally accessible sources with corresponding personal data | Address data | Scores
2.5 Categories of recipients of personal data
Recipients are contractual partners within the meaning of Section 2.3 domiciled in the European Economic Area, in Switzerland and, if applicable, in other third countries (provided that a corresponding European Commission adequacy decision is available or standard contract clauses have been agreed – these can be read at www.schufa.de). Additional recipients may include external contractors of SCHUFA according to Art. 28 GDPR as well as external and internal SCHUFA bodies. SCHUFA is also subject to the statutory powers of intervention on the part of state authorities.
2.6 Data retention period
SCHUFA stores information about persons only for a certain period. The decisive criterion for determining this duration is the necessity of processing for the purposes described above. Specifically, retention periods are specified in a Code of Conduct for the Association of Credit Bureaus “Die Wirtschaftsauskunfteien e. V.” (available at www.schufa.de/loeschfristen). Information about queries is deleted after exactly twelve months.