On 16 March 2023, the Court of Justice of the EU (CJEU) released the Advocate General’s Opinion in cases C-634/21, C-26/22 and C-64/22. We are waiting for a long time to observe their final conclusions. The Advocate General considered that the automated appraisal of credit applicant’s creditworthiness constitutes profiling under the GDPR.
What happened in the SCHUFA case
SCHUFA Holding AG provided its client, a credit institution, with a score for a person. It served as the ground to refuse her credit application. She then requested SCHUFA to remove the entry of her profile and to give her access to the corresponding data. The company provided her solely the score. It refused to disclose the complete data regarding the calculation formula based on the trade secret protection argument. It also did not delete the entry relating to early discharges from remaining debts until 3 years after entry.
From her claims against SCHUFA to Land Hessen (the Data Protection and Freedom of Information Commissioner for Hesse), the Administrative Court of Wiesbaden raised the questions before the CJEU about the restriction of the GDPR applied to reporting agencies, effect of trade secrets. The further joint cases brought the question about the legal nature of the supervisory authority’s decision to hear a complaint, the scope of the judicial review of this decision by the court and the lawfulness of the storage of personal data from public registers by credit information agencies.
The Advocate General’s Opinion
First, the data subject must not be subject to a decision based solely on automated processing, including profiling. This person concerned retains the right to information because:
- the processing formed “profiling”;
- the decision led to legal effects concerning the data subject, or the significant like; and
- automated processing is the sole ground of the decision.
The personal information of this concerned person, which the controller had transmitted to a third-party controller (SCHUFA), determined the specific probability value in discussion. The Advocate General emphasised, the consistent practice showed that SCHUFA used that value to advantage to evaluate the establishment, implementation or termination of contractual relationship with that same person.
Second, for the additional concerns in the joint cases, the Advocate General held that “a legal binding decision of a supervisory authority is subject to a full substantive judicial review, which guarantees an effective judicial remedy”. He also found that the storage of data by a private credit information agency is illicit in case the public registers has erased personal data concerning insolvency, due to the failure to meet the the following principles of the GDPR:
- the controller or the third party(ies) must pursue a legitimate interest;
- the personal data processing is necessary for the purpose of the legitimate interest ;
- the fundamental rights and freedoms of the data subject prevail.
Third, this person concerned may enjoy her right to obtain from the controller the removal of her personal data without undue delay. The grant of this right occurs when she objects to the processing or when the controller has unlawfully processed those data.
For more CJEU judgements on the GDPR: https://www.astraiagear.com/2023/01/12/cjeu-judgements-on-gdpr/
Source: https://curia.europa.eu/jcms/upload/docs/application/pdf/2023-03/cp230049en.pdf