Your data at schufa

TRUST AS THE IMPORTANT BASIS

DATA PROTECTION & DATA QUALITY

HANDLING PERSONAL DATA

Data protection and in particular, handling sensitive personal data are at the forefront of our actions.

Our services are subject to the regulations of the General Data Protection Regulation (GDPR) and the German Data Protection Act (Bundesdatenschutzgesetz, or BDSG). We only store data on servers in Germany. Furthermore, SCHUFA is under the supervision of the Hessian Officer for Data Protection and Freedom of Information. Government agencies have unrestricted access to all procedures and processes with data-protection relevance in our organisation, and we are in a continuous dialogue with each other.

Woman sitting on sofa

Would you like to know which data about you is stored at SCHUFA?

Order SCHUFA-Datenkopie here - the free overview of the data we have stored about you.

Only correct data is meaningful data

Over 10,000 companies trust our information. Data forms the basis for our business, which is why we check the quality of our information very carefully and constantly improve it. Our quality assurance actions include complex data analyses, plausibility checks and inventories, during which we verify stored information together with our customers. Furthermore, we initiate regular spot checks to ensure the companies connected to us comply with data protection directives and reporting obligations.

Common interest in correct data

Because we work in accordance with the reciprocity principle, our contractual partners are equally data suppliers and recipients. Obviously, they are just as interested in the quality of the information as we are. But only current and correct data will lead to secure mutual protection against payment defaults.

AND WHAT IF SOMETHING’S NOT RIGHT?

If you think that something about the data stored about you at SCHUFA is not right, then just inform our Private Client Service and we’ll clarify the matter. We will usually contact the company from which the data originated to do this. If any stored information actually is faulty or if there are justified doubts about its accuracy, it will be corrected or erased as quickly as possible.

SCHUFA & GDPR

AN OVERVIEW

Consistent data protection

People rely on their data being protected and secure. Meeting this expectation has top priority at SCHUFA.

The European General Data Protection Regulation (GDPR) came into force in all 28 Member States in May 2018. This created the pre-condition for consistent EU-wide data protection standards. All organisations that process personal data must meet the obligations set by the GDPR – from large search engine operators to small businesses and clubs.

Transparency is the basis of trust

Every consumer can order a copy of their personal data from SCHUFA free of charge. This consists of all data stored about them at SCHUFA at the time of the retrieval. However, we recommend you do not forward a Datenkopie to third parties, because it will contain information only intended for you.

“Legitimate interest” is the pre-condition for data transmission

The GDPR means that concrete consent from consumers in the form of a so-called “SCHUFA clause” is no longer required. The legal basis for transmitting data to SCHUFA is the existence of a “legitimate interest” in data processing. This is legally regulated in Art. 6 (1) f) of the GDPR.

As before, the following applies to payment problems, i.e. outstanding debts. These may only be reported to SCHUFA if the consumer has been given two reminders, if the first reminder was at least four weeks ago, the debt is undisputed and the consumer had also been notified of the possibility that data would be transmitted to SCHUFA. This approach is a constituent of the agreements concluded with companies that are connected to the SCHUFA procedure.

The Datenkopie: all SCHUFA information at a glance

  • With the Datenkopie consumers can get an overview of all the information stored about them at SCHUFA. This also includes enquiries made by companies about them in the past 12 months, as well as lots of general information about types of data and the score procedure.
  • Sheet 1 consists of the covering letter, where the personal data that is stored and also required for identification (name, address, date of birth etc.) can be seen.
    • The other sheets contain further information:
      • Credit-relevant data stored,
      • Enquiries from companies,
      • Score figures transmitted to contractual partners over the past 12 months,
      • The SCHUFA-Basisscore, which is calculated quarterly,
      • Supplementary explanations and notes.

Therefore, the Datenkopie contains information only intended for you and that you should not forward to third parties. If you require a credit report for third parties – for example, for landlords – we recommend the fee-based BonitätsAuskunft.

How you can order a Datenkopie:

The free-of-charge SCHUFA-Auskunft can be ordered via a number of channels:

  • Using the Online order form
  • By telephone on 0611 - 92780
  • Or in writing to SCHUFA Holding AG, Postfach 10 25 66, 44725 Bochum

Verification of your creditworthiness for third parties

With SCHUFA-BonitätsAuskunft consumers can receive verification which can also be forwarded to third parties – for example, to landlords. This certificate is protected in a number of ways. It contains a hologram strip, a moiré pattern, the SCHUFA seal and a quality seal. All these things and the issue date verify that the certificate is genuine and up-to-date. SCHUFA-BonitätsAuskunft provides information about your previous payment behaviour. We will send you explanatory information with the SCHUFA-BonitätsAuskunft. You will find the SCHUFA-Orientierungswert and the SCHUFA-Branchenscores in it - which are updated every day. It does not include your SCHUFA-Basisscore. In addition, we’ll supply you with an overview of all the information notified by our SCHUFA contractual partners.

You can order SCHUFA-BonitätsAuskunft for a fee of €29.95:

Standards for data erasure

In the General Data Protection Regulation (GDPR), there are no longer any specific regulations on the question of how long credit agencies such as SCHUFA may store and use data.

In order to create legal certainty and clarity for consumers - but also for companies - the credit agencies in Germany, together with the relevant supervisory authorities, have agreed a Code of Conduct (CoC) to regulate deletion periods.

The CoC creates a uniform standard for all credit agencies. Consumers want to fulfill their financial wishes quickly, securely and without complications - lending companies want to reduce the risk of default. The CoC regulates how both interests can be brought together.

Check and deletion periods for personal data

Data will be deleted automatically on a precisely stipulated date on the basis of the set storage periods.

  • Which information?
    When will this data be deleted from SCHUFA files?
  • Disruption-free credits
    Three years precisely after their completion
  • Credit enquiries
    After twelve months
  • Disruption-free contracts (current accounts, basic accounts, credit cards, telecommunications accounts)
    Directly after the contractual partner reports termination / closure to SCHUFA
  • Previous addresses
    Will be stored for three years. Previous addresses are important information for identification purposes and can avoid mistaken identities. Consequently, storage can be extended for a further three years, if no new previous addresses are added.
  • Execution accounts, basic accounts
    Directly after the contractual partner reports termination / closure to SCHUFA
  • Data from debtor directories
    After three years, however, prematurely if a deletion by the central court of enforcement can be proven to SCHUFA
  • Consumer/ insolvency proceedings or discharge of residual debt proceedings
    Three years after the end of insolvency proceedings
  • Dismissed insolvency proceedings or discharge of residual debt proceedings
    After three years


Overview of the Code of Conduct of German Credit Bureaux

The rules of conduct for check and deletion periods for personal data set by German Credit Bureaux are summarised in the Code of Conduct of 25 May 2018.

I. Preliminary remark

The association "Die Wirtschaftsauskunfteien e.V.” (hereinafter “DW”) represents the interests of the large credit bureaux.

The companies that accede to these rules of conduct are obliged to comply with these from the point in time of accession. The association will document the accession of the company and disclose this in a suitable form.
Members include the companies Bisnode Deutschland GmbH, Creditreform Boniversum GmbH, CRIF Bürgel GmbH, IHD Gesellschaft für Kredit- und Forderungsmanagement mbH, infoscore Consumer Data GmbH, SCHUFA Holding AG and Verband der Vereine Creditreform e.V.

The purpose of the association is to bundle the interests of credit bureaux through a voluntary aggregation of companies and business associations that are active in this branch and to promote these interests through common goals. The association represents the interests of its members in that it takes positions on topics that are of importance to members’ activities towards the supervisory authorities, the German Federal States, ministries of state and political decision-makers.

Furthermore, one important concern of the association is to set quality standards for the branch. This primarily relates to data protection, which is of particularly great importance to credit bureaux.

The European General Data Protection Regulation (GDPR) has largely superseded the German Federal Data Protection Act (BDSG). When the GDPR came into force, its effects included the cancellation of regulations relevant to data processing carried out by German credit bureaux. This also includes the check and deletion periods previously included in Section 35 (2) 2) 4 of the BDSG (previous version). Through a review after four or three years, these periods were intended to ensure whether a longer storage duration was still required. As a rule, the deletion of matters that were no longer relevant was reached as a result. Conversely, however, the periods stipulated in Section 35 (2) 2) 4 of the BDSG (previous version) also recognised that in any case the storage carried out within the periods was necessary and served legitimate interests. Although the GDPR retains the principle of necessity in Art. 5 (1) e), it does not include any defined check periods. However, in order to actually ensure the necessity review, Recital 39 nevertheless assumes that the controller provides corresponding periods.
To clarify, it must be pointed out that the precise deletion provided in the following text also includes deletion on the effective date following a weekend.

These rules of conduct do not preclude a special review in an individual case on application by the data subject (as per Art. 17, 21 of the GDPR).

Consequently, in agreement with its members, and in the interests of legal certainty when processing data permissibly drawn on to check creditworthiness, the Association DW has formulated the periods detailed below for a review of the necessity to delete personal data stored for master data. The periods stipulated here create uniform standards and establish a voluntary obligation of the members to comply with the rules set in this document and to align themselves on these rules of conduct.

The rules of conduct specified here will offer data subjects a guarantee that
  • data protection issues will continue to be very important in the credit bureaux branch, including after the GDPR came into force on 25 May 2018,
  • storage of their personal data in compliance with data protection law, because it is aligned on necessity, will be carried out by bringing the legitimate interests of data subjects and the controller into harmony, and
  • there will also continue to be transparency for them with regard to the check and deletion periods practised by credit bureaux and that fair processing will be carried out as a result.

The rules of conduct specified here relate to the processing of personal data by member companies in Germany; these rules do not make any statement about storage and deletion periods for the processing of personal data outside Germany.

These rules of conduct do not contain any rules about the material authorisation to store personal data. The rule for storage and deletion periods also does not indicate the legality of the storage of data.

The following deletion and storage periods apply notwithstanding whether the underlying data was collected and stored on a legal basis or on the basis of consents.

The rules of conduct will be expanded step-by-step to cover additional circumstances with data protection relevance.

II. Check and deletion periods for personal data

1. Personal data about due, outstanding and undisputed debts: a) Personal data about due and undisputed debts will remain stored as long as the settlement of these has not been reported; the necessity of continued storage will be reviewed three years (precisely) after the occurrence of the relevant incident (e.g. first registration of the debt of balance update).

b) Personal data will be deleted precisely three years after the settlement of the debt.

Notwithstanding this, an individual review will be carried out whether the storage of the data is still necessary on application by the data subject (Art. 17 (1) a) of the GDPR).

2. Personal data which is based on entries in the debtor book or publications about (consumer or regular) insolvency proceedings: a) Data from the debtor books of the central courts of execution (entries pursuant to Section 882c (1) 1) 1 – 3 ZPO) will be deleted three years precisely after entry in the debtor book, however, prematurely, if the central court of execution proves/reports a deletion to the credit bureau.

b) Information about (consumer or regular) insolvency proceedings or discharge of residual debt proceedings will be deleted precisely three years after the end of insolvency proceedings or the issue of the discharge of residual debt.

Information about

  • the rejection of an insolvency application due to lack of assets,
  • the cancellation of security measures or
  • the refusal of the discharge of residual debt
will be deleted after precisely three years.


3. Personal data about continuing obligations (contractual data)
,

that are at risk of financial default due to an advance payment: a) Information about disruption-free contractual data about credit relationships that are documented with the debt thus established (in particular loans, financing assistance, contracts for delivery in instalments or part-payments), will remain stored until the outstanding debt thus established has been settled; if the settlement of these is reported, the personal data will be deleted precisely three years afterwards.

b) Information about disruption-free contractual data about accounts that are documented without the establishing debt (e.g. current accounts, credit cards, telecommunications accounts or energy accounts), will remain stored as long as the accounts exist; if the termination of these accounts is reported, the information will be deleted.

c) Information about contracts for which the evidence review is legally stipulated (such as for exemption from execution accounts or basic accounts), remain stored as long as these exist; if their termination is reported, the information will be deleted.

d) Information about securities will be deleted as soon as the termination of the security is reported.

e) Trading accounts that are kept on the credit side will be deleted after precisely three years, after all debts have been repaid.
After execution as per the preceding rules, the aforementioned data must be deleted immediately on application by the data subject.

4. Other data:

a) Person-related previous addresses will remain stored for precisely three years, subsequently, the necessity of continued storage for a further three years will be reviewed. Subsequently, these addresses will be deleted on the precise date, if a longer storage period is not required for the purposes of identification.

b) Information about the misuse of an account or a card by the legal account holder will be deleted after precisely three years.

c. has appropriate financial and personnel resources depending on the number, size and complexity of the companies to be monitored, as well as the risk content of the data processing, and has proven this to the satisfaction of the competent supervisory authority;

d) Disclosures about third-party enquiries will be stored for at least one year, however, for a maximum of three years precisely. After the end of a year disclosures about these enquiries must be deleted on an application of the data subject.

e) The necessity for continued storage of data, which relates to a person, taken from other public/publicly accessible sources will be reviewed after three years at the latest. In cases with completion, such as an amendment in or deletion from the commercial register, the personal data will be deleted after three years.

III. Reviewing compliance with the deletion periods set here

The companies that accede to these rules of conduct guarantee that compliance with the check and deletion periods set here can be reviewed at any time. The Association DW shall – regardless of the tasks and authorisations of the relevant company Data Protection Officers and competent supervisory authorities – appoint a position accredited by the competent supervisory authority as per Art. 41 (1) of the GDPR to monitor compliance with these rules of conduct. At the choice of the Association DW this position may involve an external position that holds the required accreditation or an appropriate position within the Association.

1. DW will appoint a control position for the monitoring, which, a. must have demonstrated its independence and specialist knowledge with regard to the object of the monitoring to the satisfaction of the competent supervisory authority;

b. has proven to the satisfaction of the competent supervisory authority that its tasks and obligations do not lead to a conflict of interests;

c. has appropriate financial and personnel resources depending on the number, size and complexity of the companies to be monitored, as well as the risk content of the data processing, and has proven this to the satisfaction of the competent supervisory authority;

d. uses its own employees to carry out the core tasks of the monitoring and not subcontractors;

e. has provided a concrete contact and their contact details to the competent supervisory authority for monitoring purposes;

f. provided an internal monitoring position within the Association is involved, is organisationally separate up to the level below the management board inclusive from the other areas of the Association; in this case DW shall ensure that the internal monitoring position can act free of instructions and is protected from any sanctions within the scope of the fulfilment of its tasks.

2. The control position tasked to monitor these rules of conduct fulfils the tasks and obligations detailed below: a. Continuous monitoring as well as an annually rotating review of an appropriate number of the acceded companies depending on the risk content of the data processing and identified focal points of complaints, as well as a case-specific review of the relevant acceded company (in particular in the event of complaints with regard to alleged non-compliance with these rules of conduct by an acceded company).

b. Regular and case-specific monitoring of the suitability of these rules of conduct. This includes a conceptual review of whether these rules of conduct are practicable, sufficiently precise and have been formulated comprehensively, cover the need for regulation and are accepted in practice.

c. Case-specific requirement to provide information without delay about the actions taken and their justification both to the management board of the affected company and also to the data protection supervisory authority with competence for the affected company. The control position will be enabled to have a direct reporting path to the management board of the acceded companies.

d. The control position is entitled to all the investigation authorisations required to fulfil the tasks. The acceded companies shall provide the information required for this purpose on demand. The position shall receive access to all personal data, processing procedures and other information that is necessary to fulfil its tasks. In addition, the acceded companies shall allow the position access to the business premises, including all data processing facilities. The control position may also conduct investigations in the form of data protection reviews. The investigation authorisations also exist towards processors of the acceded companies, as well as towards third parties in accordance with Art. 4 (10) of the GDPR.

e. The control position shall document its investigation activities and shall take, if required, suitable actions towards the acceded companies to ensure compliance with the rules of conduct set here and that DW – in coordination with the competent supervisory authority – further develops these rules.

f. In the event of any breaches of these rules of conduct by an acceded company the control position shall take suitable actions with the aim of preventing the identified breach and avoiding any recurrence. The position shall treat all information about companies and natural persons (including data subjects and complainants) in confidence and keep this information secret. The control position shall be authorised to forward information to the competent supervisory authority insofar as such forwarding is required to fulfil its tasks and obligations. The position shall inform the management board of the affected company, as well as the supervisory authority with competence for the company, in the event any breaches of these rules of conduct are identified about the actions taken and their justification, without undue delay.

g. The control position has the right to exclude acceded companies from these rules of conduct in the event of repeated breaches, or in the case of non-remedy of identified breaches of these rules of conduct.

IV. Miscellaneous

  • Reservation clause
    These rules of conduct, as well as the monitoring rules set in Section III., apply subject to legal amendments that affect their regulatory content or any rulings to the contrary at European level (European Data Protection Commission, European Court of Justice).
  • Evaluation
    These rules of conduct apply until 25 May 2024. Two years before expiry at the latest the Association DW shall submit a written evaluation report to the competent supervisory authority.
    If the supervisory authority does not raise any objections, these rules of conduct shall be renewed for a further six years.

Rectification, right to object and hardship provision

Rectification

If you ever have the feeling that something is not right about your SCHUFA-Daten, please contact us. We’ll find out together what’s missing or is not correct and can then correct it.

SCHUFA accepts rectification information by telephone, post and online. (SCHUFA Holding AG, Privatkunden ServiceCenter, Postfach 10 34 41, 50474 Cologne, by telephone on +49 (0)611 - 92780 and using our query form here)

Right to object

The right to object to the processing of personal data is regulated in the General Data Protection Regulation (GDPR). An objection is possible if there are special circumstances that override the interests of SCHUFA in the collection, processing or use of data; this includes particular situations that could represent a danger to the life of the data subject or cause an injury to them, for example, if data subjects are enrolled in a witness protection programme or live in a women’s refuge.

You'll find more information here.

In order to assert their right to object, data subjects can send their enquiry by post, with corresponding evidence, to be reviewed to SCHUFA.

Hardship provision

SCHUFA will check hardship cases individually. Please contact us for this purpose.

Get in touch

With us

Your contact persons

SCHUFA Privatkunden ServiceCenter

Postfach 103441
50474 Köln
meineschufa@schufa.de
Tel.: +49 611 9278-0
Fax: +49 611 - 9278-109
Mo. - Fr. 08 - 19 Uhr