On December 7th, 2023, the Court of Justice of the European Union (CJEU) ruled that SCHUFA, a credit rating agency, played a “determining role” in a lender’s decision to deny a loan application. The CJEU found that SCHUFA’s role, i.e. providing credit scores, qualified as a “decision” under Article 22 of the GDPR. The court also determined that SCHUFA was better positioned to provide “meaningful information,” including the logic behind the automated decision-making process, to fulfill the data subject’s access rights under Article 15 of the GDPR.
This paper offers an overview of the judgment, and examines its potential implications and practical consequences for the financial services industry. It concludes that the SCHUFA ruling should be interpreted narrowly, focusing on the specifics of the case to avoid untenable and inconsistent outcomes. Finally, it provides guiding questions for organizations using automated decision-making to help assess how their processes and business models differ.
Download the Paper
Download NowMore like this
CIPL Response to the US House Financial Services Committee on Current Federal Consumer Financial Data Privacy Law and Potential Legislative Proposals
Find out more
Privacy-Enhancing and Privacy-Preserving Technologies in AI: Enabling Data Use and Operationalizing Privacy by Design and Default
Find out more
The Impact of Digital Advertising on Europe’s Competitiveness: A Study on the Role of Digital Advertising in Europe
Find out more
The Limitations of Consent as a Legal Basis for Data Processing in the Digital Society
Find out more
From Barriers to Bridges: Cloud Computing in Support of Privacy and Security
Find out more
Enabling Benefits and Safe Uses of Biometric Technology Through Risk-Based Regulations
Find out more
