To the topics
Our services are subject to the regulations of the General Data Protection Regulation (GDPR) and the German Data Protection Act (Bundesdatenschutzgesetz, or BDSG). We only store data on servers in Germany. Furthermore, SCHUFA is under the supervision of the Hessian Officer for Data Protection and Freedom of Information. Government agencies have unrestricted access to all procedures and processes with data-protection relevance in our organisation, and we are in a continuous dialogue with each other.
Order SCHUFA-Datenkopie here - the free overview of the data we have stored about you.
Over 10,000 companies trust our information. Data forms the basis for our business, which is why we check the quality of our information very carefully and constantly improve it. Our quality assurance actions include complex data analyses, plausibility checks and inventories, during which we verify stored information together with our customers. Furthermore, we initiate regular spot checks to ensure the companies connected to us comply with data protection directives and reporting obligations.
Because we work in accordance with the reciprocity principle, our contractual partners are equally data suppliers and recipients. Obviously, they are just as interested in the quality of the information as we are. But only current and correct data will lead to secure mutual protection against payment defaults.
If you think that something about the data stored about you at SCHUFA is not right, then just inform our Private Client Service and we’ll clarify the matter. We will usually contact the company from which the data originated to do this. If any stored information actually is faulty or if there are justified doubts about its accuracy, it will be corrected or erased as quickly as possible.
People rely on their data being protected and secure. Meeting this expectation has top priority at SCHUFA.
The European General Data Protection Regulation (GDPR) came into force in all 28 Member States in May 2018. This created the pre-condition for consistent EU-wide data protection standards. All organisations that process personal data must meet the obligations set by the GDPR – from large search engine operators to small businesses and clubs.
Every consumer can order a copy of their personal data from SCHUFA free of charge. This consists of all data stored about them at SCHUFA at the time of the retrieval. However, we recommend you do not forward a Datenkopie to third parties, because it will contain information only intended for you.
The GDPR means that concrete consent from consumers in the form of a so-called “SCHUFA clause” is no longer required. The legal basis for transmitting data to SCHUFA is the existence of a “legitimate interest” in data processing. This is legally regulated in Art. 6 (1) f) of the GDPR.
As before, the following applies to payment problems, i.e. outstanding debts. These may only be reported to SCHUFA if the consumer has been given two reminders, if the first reminder was at least four weeks ago, the debt is undisputed and the consumer had also been notified of the possibility that data would be transmitted to SCHUFA. This approach is a constituent of the agreements concluded with companies that are connected to the SCHUFA procedure.
Therefore, the Datenkopie contains information only intended for you and that you should not forward to third parties. If you require a credit report for third parties – for example, for landlords – we recommend the fee-based BonitätsAuskunft.
How you can order a Datenkopie:
The free-of-charge SCHUFA-Auskunft can be ordered via a number of channels:
With SCHUFA-BonitätsAuskunft consumers can receive verification which can also be forwarded to third parties – for example, to landlords. This certificate is protected in a number of ways. It contains a hologram strip, a moiré pattern, the SCHUFA seal and a quality seal. All these things and the issue date verify that the certificate is genuine and up-to-date. SCHUFA-BonitätsAuskunft provides information about your previous payment behaviour. We will send you explanatory information with the SCHUFA-BonitätsAuskunft. You will find the SCHUFA-Orientierungswert and the SCHUFA-Branchenscores in it - which are updated every day. It does not include your SCHUFA-Basisscore. In addition, we’ll supply you with an overview of all the information notified by our SCHUFA contractual partners.
You can order SCHUFA-BonitätsAuskunft for a fee of €29.95:
In the General Data Protection Regulation (GDPR), there are no longer any specific regulations on the question of how long credit agencies such as SCHUFA may store and use data.
In order to create legal certainty and clarity for consumers - but also for companies - the credit agencies in Germany, together with the relevant supervisory authorities, have agreed a Code of Conduct (CoC) to regulate deletion periods.
The CoC creates a uniform standard for all credit agencies. Consumers want to fulfill their financial wishes quickly, securely and without complications - lending companies want to reduce the risk of default. The CoC regulates how both interests can be brought together.
The rules of conduct for check and deletion periods for personal data set by German Credit Bureaux are summarised in the Code of Conduct of 25 May 2018.
I. Preliminary remark
The association "Die Wirtschaftsauskunfteien e.V.” (hereinafter “DW”) represents the interests of the large credit bureaux.
The companies that accede to these rules of conduct are obliged to comply with these from the point in time of accession. The association will document the accession of the company and disclose this in a suitable form. Members include the companies Bisnode Deutschland GmbH, Creditreform Boniversum GmbH, CRIF Bürgel GmbH, IHD Gesellschaft für Kredit- und Forderungsmanagement mbH, infoscore Consumer Data GmbH, SCHUFA Holding AG and Verband der Vereine Creditreform e.V.
The purpose of the association is to bundle the interests of credit bureaux through a voluntary aggregation of companies and business associations that are active in this branch and to promote these interests through common goals. The association represents the interests of its members in that it takes positions on topics that are of importance to members’ activities towards the supervisory authorities, the German Federal States, ministries of state and political decision-makers.
Furthermore, one important concern of the association is to set quality standards for the branch. This primarily relates to data protection, which is of particularly great importance to credit bureaux.
The European General Data Protection Regulation (GDPR) has largely superseded the German Federal Data Protection Act (BDSG). When the GDPR came into force, its effects included the cancellation of regulations relevant to data processing carried out by German credit bureaux. This also includes the check and deletion periods previously included in Section 35 (2) 2) 4 of the BDSG (previous version). Through a review after four or three years, these periods were intended to ensure whether a longer storage duration was still required. As a rule, the deletion of matters that were no longer relevant was reached as a result. Conversely, however, the periods stipulated in Section 35 (2) 2) 4 of the BDSG (previous version) also recognised that in any case the storage carried out within the periods was necessary and served legitimate interests. Although the GDPR retains the principle of necessity in Art. 5 (1) e), it does not include any defined check periods. However, in order to actually ensure the necessity review, Recital 39 nevertheless assumes that the controller provides corresponding periods. To clarify, it must be pointed out that the precise deletion provided in the following text also includes deletion on the effective date following a weekend.
These rules of conduct do not preclude a special review in an individual case on application by the data subject (as per Art. 17, 21 of the GDPR).
Consequently, in agreement with its members, and in the interests of legal certainty when processing data permissibly drawn on to check creditworthiness, the Association DW has formulated the periods detailed below for a review of the necessity to delete personal data stored for master data. The periods stipulated here create uniform standards and establish a voluntary obligation of the members to comply with the rules set in this document and to align themselves on these rules of conduct.
The rules of conduct specified here relate to the processing of personal data by member companies in Germany; these rules do not make any statement about storage and deletion periods for the processing of personal data outside Germany.
These rules of conduct do not contain any rules about the material authorisation to store personal data. The rule for storage and deletion periods also does not indicate the legality of the storage of data.
The following deletion and storage periods apply notwithstanding whether the underlying data was collected and stored on a legal basis or on the basis of consents.
The rules of conduct will be expanded step-by-step to cover additional circumstances with data protection relevance.
II. Check and deletion periods for personal data
1. Personal data about due, outstanding and undisputed debts: a) Personal data about due and undisputed debts will remain stored as long as the settlement of these has not been reported; the necessity of continued storage will be reviewed three years (precisely) after the occurrence of the relevant incident (e.g. first registration of the debt of balance update).
b) Personal data will be deleted precisely three years after the settlement of the debt.
Notwithstanding this, an individual review will be carried out whether the storage of the data is still necessary on application by the data subject (Art. 17 (1) a) of the GDPR).
2. Personal data which is based on entries in the debtor book or publications about (consumer or regular) insolvency proceedings: a) Data from the debtor books of the central courts of execution (entries pursuant to Section 882c (1) 1) 1 – 3 ZPO) will be deleted three years precisely after entry in the debtor book, however, prematurely, if the central court of execution proves/reports a deletion to the credit bureau.
b) Information about (consumer or regular) insolvency proceedings or discharge of residual debt proceedings will be deleted precisely three years after the end of insolvency proceedings or the issue of the discharge of residual debt.
3. Personal data about continuing obligations (contractual data),
that are at risk of financial default due to an advance payment: a) Information about disruption-free contractual data about credit relationships that are documented with the debt thus established (in particular loans, financing assistance, contracts for delivery in instalments or part-payments), will remain stored until the outstanding debt thus established has been settled; if the settlement of these is reported, the personal data will be deleted precisely three years afterwards.
b) Information about disruption-free contractual data about accounts that are documented without the establishing debt (e.g. current accounts, credit cards, telecommunications accounts or energy accounts), will remain stored as long as the accounts exist; if the termination of these accounts is reported, the information will be deleted.
c) Information about contracts for which the evidence review is legally stipulated (such as for exemption from execution accounts or basic accounts), remain stored as long as these exist; if their termination is reported, the information will be deleted.
d) Information about securities will be deleted as soon as the termination of the security is reported.
e) Trading accounts that are kept on the credit side will be deleted after precisely three years, after all debts have been repaid. After execution as per the preceding rules, the aforementioned data must be deleted immediately on application by the data subject.
4. Other data:
a) Person-related previous addresses will remain stored for precisely three years, subsequently, the necessity of continued storage for a further three years will be reviewed. Subsequently, these addresses will be deleted on the precise date, if a longer storage period is not required for the purposes of identification.
b) Information about the misuse of an account or a card by the legal account holder will be deleted after precisely three years.
c. has appropriate financial and personnel resources depending on the number, size and complexity of the companies to be monitored, as well as the risk content of the data processing, and has proven this to the satisfaction of the competent supervisory authority;
d) Disclosures about third-party enquiries will be stored for at least one year, however, for a maximum of three years precisely. After the end of a year disclosures about these enquiries must be deleted on an application of the data subject.
e) The necessity for continued storage of data, which relates to a person, taken from other public/publicly accessible sources will be reviewed after three years at the latest. In cases with completion, such as an amendment in or deletion from the commercial register, the personal data will be deleted after three years.
III. Reviewing compliance with the deletion periods set here
The companies that accede to these rules of conduct guarantee that compliance with the check and deletion periods set here can be reviewed at any time. The Association DW shall – regardless of the tasks and authorisations of the relevant company Data Protection Officers and competent supervisory authorities – appoint a position accredited by the competent supervisory authority as per Art. 41 (1) of the GDPR to monitor compliance with these rules of conduct. At the choice of the Association DW this position may involve an external position that holds the required accreditation or an appropriate position within the Association.
1. DW will appoint a control position for the monitoring, which, a. must have demonstrated its independence and specialist knowledge with regard to the object of the monitoring to the satisfaction of the competent supervisory authority;
b. has proven to the satisfaction of the competent supervisory authority that its tasks and obligations do not lead to a conflict of interests;
d. uses its own employees to carry out the core tasks of the monitoring and not subcontractors;
e. has provided a concrete contact and their contact details to the competent supervisory authority for monitoring purposes;
f. provided an internal monitoring position within the Association is involved, is organisationally separate up to the level below the management board inclusive from the other areas of the Association; in this case DW shall ensure that the internal monitoring position can act free of instructions and is protected from any sanctions within the scope of the fulfilment of its tasks.
2. The control position tasked to monitor these rules of conduct fulfils the tasks and obligations detailed below: a. Continuous monitoring as well as an annually rotating review of an appropriate number of the acceded companies depending on the risk content of the data processing and identified focal points of complaints, as well as a case-specific review of the relevant acceded company (in particular in the event of complaints with regard to alleged non-compliance with these rules of conduct by an acceded company).
b. Regular and case-specific monitoring of the suitability of these rules of conduct. This includes a conceptual review of whether these rules of conduct are practicable, sufficiently precise and have been formulated comprehensively, cover the need for regulation and are accepted in practice.
c. Case-specific requirement to provide information without delay about the actions taken and their justification both to the management board of the affected company and also to the data protection supervisory authority with competence for the affected company. The control position will be enabled to have a direct reporting path to the management board of the acceded companies.
d. The control position is entitled to all the investigation authorisations required to fulfil the tasks. The acceded companies shall provide the information required for this purpose on demand. The position shall receive access to all personal data, processing procedures and other information that is necessary to fulfil its tasks. In addition, the acceded companies shall allow the position access to the business premises, including all data processing facilities. The control position may also conduct investigations in the form of data protection reviews. The investigation authorisations also exist towards processors of the acceded companies, as well as towards third parties in accordance with Art. 4 (10) of the GDPR.
e. The control position shall document its investigation activities and shall take, if required, suitable actions towards the acceded companies to ensure compliance with the rules of conduct set here and that DW – in coordination with the competent supervisory authority – further develops these rules.
f. In the event of any breaches of these rules of conduct by an acceded company the control position shall take suitable actions with the aim of preventing the identified breach and avoiding any recurrence. The position shall treat all information about companies and natural persons (including data subjects and complainants) in confidence and keep this information secret. The control position shall be authorised to forward information to the competent supervisory authority insofar as such forwarding is required to fulfil its tasks and obligations. The position shall inform the management board of the affected company, as well as the supervisory authority with competence for the company, in the event any breaches of these rules of conduct are identified about the actions taken and their justification, without undue delay.
g. The control position has the right to exclude acceded companies from these rules of conduct in the event of repeated breaches, or in the case of non-remedy of identified breaches of these rules of conduct.
If you ever have the feeling that something is not right about your SCHUFA-Daten, please contact us. We’ll find out together what’s missing or is not correct and can then correct it.
SCHUFA accepts rectification information by telephone, post and online. (SCHUFA Holding AG, Privatkunden ServiceCenter, Postfach 10 34 41, 50474 Cologne, by telephone on +49 (0)611 - 92780 and using our query form here)
Right to object
The right to object to the processing of personal data is regulated in the General Data Protection Regulation (GDPR). An objection is possible if there are special circumstances that override the interests of SCHUFA in the collection, processing or use of data; this includes particular situations that could represent a danger to the life of the data subject or cause an injury to them, for example, if data subjects are enrolled in a witness protection programme or live in a women’s refuge.
You'll find more information here.
In order to assert their right to object, data subjects can send their enquiry by post, with corresponding evidence, to be reviewed to SCHUFA.
SCHUFA will check hardship cases individually. Please contact us for this purpose.