Skip to content
Article

Creditworthy? What Companies need to consider when checking Creditworthiness

Data Protection Law Data Compliance

The storage and use of credit rating data is subject to strict data protection regulations. The use of creditworthiness data by companies can take place in two directions:

On the one hand, companies access creditworthiness information in order to assess risks when awarding contracts. On the other hand, they themselves report data to SCHUFA Holding AG in order to provide the overall system with information.

Excursus:

Creditworthiness data is personal data relating to the financial reliability and creditworthiness of a person or company.

Examples:

  • Positive data: Contracts with credit institutions, duly paid loans, etc.
  • Negative data: Payment defaults, cancelled loans, dunning procedures, titled claims, personal insolvency, etc.

Art. 6 para. 1 lit. a), b) and f) are usually considered as legal bases. Either the data subject has given their express consent, or the processing is necessary for the fulfilment of the contract or the interests of the company outweigh the interests of the data subject.

I. Data enquiry

Companies that obtain creditworthiness information, e.g. from SCHUFA, and store the data must adhere to the permitted rights of enquiry and storage periods.

In principle, SCHUFA may, upon request, pass on stored data to a contractual partner within the scope of its legitimate interest in protecting against payment defaults. This applies primarily to situations of final risk assessment shortly before the company concludes a contract with the data subject.

But what applies to cases in which no contract has yet been concluded with the data subject, but the parties are still in the contract initiation phase?

A distinction must be made between the scope of the data request on the basis of Art. 6 para. 1 lit. b) GDPR depending on the phase of contract initiation:

  • Early phase of contract initiation (preliminary examination of contract eligibility)

A credit check without a concrete prospect of a contract is not permitted.

The decisive factor for assessing the existence of a concrete prospect of concluding a contract is, among other things, the expressed interest in purchasing on the part of the person concerned. An agreement must already have been reached on the essential elements of the contract.

  • Concretised contract negotiations (individual offer is reviewed)

The query of a probability value about a certain future behaviour of a natural person for the purpose of deciding on the establishment and execution (or termination) of a contractual relationship with this person is permitted if

    • the basic requirements of data protection law have been complied with (Section 31 (1) No. 1 BDSG),
    • the data is used to assess the risk of non-payment (Section 31 (1) No. 2 BDSG) and
    • not only address data is used for the calculation (Section 31 (1) No. 3 BDSG).

Companies may only collect general negative data, as this relates to basic solvency (Section 31 (2) BDSG).

The data subjects must also be informed about the intended use of this data. This information must be documented (Section 31 (1) No. 4 BDSG).

At this stage, queries may be sent to SCHUFA that are relevant for the company’s risk assessment with regard to whether a contract is to be concluded.

  • Immediately before conclusion of the contract (final risk assessment)

In this final phase, more detailed creditworthiness information may be obtained if the conclusion of the contract can ultimately only be influenced by the information.

Insights

In our experience, supervisory authorities also differentiate between the legality of creditworthiness enquiries depending on the degree of negotiation:

In the contract initiation phase, personal data may be processed on the basis of Art. 6 para. 1 lit. b GDPR, as it is necessary for the fulfilment of a contract or for the implementation of pre-contractual measures – if these are carried out at the request of the data subject. However, data on the creditworthiness of (prospective) buyers may only be collected and used before the contract is concluded if the contract negotiations are at an advanced stage and the conclusion of the (purchase) contract only depends on the credit check. The following applies:

“The more concrete the contract negotiations are, the more data may generally be collected.”

However, in accordance with Art. 13 and 14 GDPR, data subjects must in any case be informed by the requesting company about the processing of the data from the SCHUFA information, in particular with regard to the purpose, the legal basis and the duration of the storage of this data.

Storage period

If the contract is ultimately not concluded, the data collected during the contract initiation process must be deleted immediately, especially if the data subject requests this. The deletion obligation applies immediately as soon as it is clear that no contractual relationship will be concluded (Art. 17 para. 1 lit. a GDPR).

Keyword: Deletion of creditworthiness data in the event of failed contract negotiations

Longer storage may only be permitted if the company can prove that continued storage is necessary for the assertion, exercise or defence of legal claims (Art. 17 para. 3 lit. e GDPR).

II. Data registration

A recent judgement by the Regional Court of Lübeck (judgement of 23 January 2025 – Ref. 15 O 262/23) shows that the entry of data into the SCHUFA system is also subject to strict data protection requirements.

The LG recently ruled that the transmission of positive data by a telecommunications company to SCHUFA constitutes unauthorised processing of personal data and justifies claims for damages under Art. 82 GDPR.

The company had passed on information about the conclusion of a mobile phone contract to SCHUFA without the customer’s express consent. There was no viable legal basis pursuant to Art. 6 para. 1 GDPR for the data transfer:

  • There was no consent (lit. a), as the customer had not given any conscious consent.

Effective consent requires a voluntary, informed and unequivocal expression of the data subject’s will. The mere provision of a data protection information sheet by the telecommunications company does not constitute express consent. It is not sufficient if the customer tacitly “agrees” through passivity or through a pre-formulated clause in the contract. Tacit consent or an opt-out option do not fulfil the requirements for active consent.

  • The legitimate interest (lit. f) was rejected because the right to informational self-determination of the data subject outweighs the interests of the company in the balancing of interests.

The right to informational self-determination pursuant to Art. 2 para. Art. 1 para. 1 GG or the right to the protection of personal data pursuant to Art. 8 EU Charter of Fundamental Rights of the data subject against the right of companies to free entrepreneurial activity and protection of their financial interests pursuant to Art. 12, 2 para. 1 GG. Although telecommunications companies have a legitimate interest in fraud prevention and risk assessment, this interest does not outweigh the fundamental rights of the data subjects. The registration of positive data can lead to the creation of extensive personality profiles, which represents a significant impairment of informational self-determination. Registration is not necessary as there are milder means of minimising the risk of payment defaults or identity fraud (e.g. internal credit checks). The registration of negative characteristics is often permissible under data protection law, but the registration of positive data without consent goes beyond this.

In its judgement, the LG Lübeck also refers to the LG Munich I(judgement of 25.04.2023 – Ref. 33 O 5976/22), which stated that even contract fulfilment (lit. b) does not apply as a legal basis because the data transfer was not necessary for the execution of the contract. The transfer of positive data to SCHUFA is not necessary for the fulfilment of the mobile phone contract. The mobile phone provider can fulfil the contract properly even without this data transfer. Nor can any legislative intention to transfer positive data be derived from Section 31 BDSG in the sense of a “first right conclusion”.

“Even if credit agencies fulfil a function approved by the legal system and desired by society by calculating score values on the basis of registered negative data (see BGH CR 2020, 405), the transmission of negative data is linked to any “misconduct” of the person concerned and not “without cause”, which – unlike in the case of positive data – must be taken into account in the consideration for the data users,”

III. Conclusion

Companies may not indiscriminately request or register creditworthiness data.

With regard to data requests, the following applies: the more specific the prospect of a contract, the more information is permitted.

  • Initially, only rough negative characteristics may be checked, while detailed creditworthiness checks are only permitted shortly before the contract is concluded.
  • Companies must be able to justify the necessity of the enquiry and may not routinely check without cause.
  • If contract negotiations fail, the data collected must be deleted immediately.
  • Violations may result in severe penalties (fines of up to 20 million euros or 4% of annual global turnover) in accordance with Art. 83 para. 5 GDPR. Companies should therefore carefully document when and why they obtain credit reports.

In principle, reporting positive data to SCHUFA could only be justified by explicit consent.