If customers do not meet demands, online retailers can report this to the Schufa or other credit agencies. However, data protection law prohibits the transfer of personal data in certain cases in order to protect the persons concerned from the serious effects of an unjustified negative entry at Schufa % Co on the everyday economic life of the persons concerned. In this article, we use a recent decision to show which data protection regulations must be observed.
I. Reports and information on creditworthiness – a data protection problem
The provisions of the General Data Protection Regulation (GDPR) represent general regulations that apply in all EU member states. Due to some opening clauses in the GDPR, the individual EU member states can make independent or more specific regulations for certain areas within a certain framework.
Data protection requirements for the admissibility of data processing in connection with credit reports in Germany and reports on this can be found not only in the GDPR, but also in the Federal Data Protection Act (BDSG).
For the question of whether the processing of personal data in reports on creditworthiness according to Art. 6 Para. 1 Letter f) DSGVO is lawful, according to many data protectionists the requirements of the regulation from § 31 Para. 2 No. 4 BDSG were also specific to be observed, which regulates the permissibility of the use of personal data for ratings created by credit bureaus and specifies the necessary prerequisites for this.
The transmission of personal data – and thus a report to the credit agency – is therefore only permissible if:
“the debtor has been informed of a possible consideration by a credit agency beforehand, but at the earliest with the first reminder, and”
“the debtor has not disputed the claim.”
II. A typical case ended up in court
The LG Frankenthal had to decide one case in this regard (decision of June 28, 2022, Az. 8 O 163/22).
The applicant received a letter from the respondent, a collection agency, about the collection of a claim in the amount of EUR 900, which she rejected as unfounded. No further contact was made by the collection agency. A few months later, she learned that the debt collection company had reported a payment problem with the Schufa, which had caused a negative entry with this credit agency.
In addition to blocking the applicant’s credit card, this report also resulted in the bank’s refusal to open a new current account. In addition, the applicant saw herself restricted in her professional practice due to the lack of the possibility of being able to reserve hotel rooms for business trips.
In the proceedings, the applicant also expressly pointed out that she had contested the claim against the collection agency in writing and that she had not been informed that her data would be passed on, and she applied for a temporary injunction.
III. What was the court’s decision?
The court granted the request and came to the conclusion that the applicant had the right to revoke the notification of the payment disruption and to refrain from future notifications of this claim.
The court emphasized that those affected by such entries and who dispute the claim must have the right to defend themselves in good time.
From the point of view of the court, a violation of Art. 6 DSGVO, which contains regulations on the legality of the processing of personal data, was of great importance for the decision. According to Art. 6 Para. 1 Letter f) GDPR, processing is lawful if
“The processing (…) is necessary to safeguard the legitimate interests of the person responsible or a third party [ist]unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data prevail, in particular if the data subject is a child.”
In order to clarify the question of whether, in the present case, there could be talk of legitimate interests in this sense, the court resorted to Section 31 (2) Sentence 1 No. 4 BDSG and saw the prerequisites
- from § 31 Para. 2 S. 1 No. 4 Letter c BDSG (“the debtor has been informed beforehand, but at the earliest with the first reminder, about a possible consideration by a credit agency and”)
- from Section 31 (2) sentence 1 no. 4 letter d BDSG (“the debtor has not disputed the claim”)
not as fulfilled, which is why the court also denied the existence of a legitimate interest in the data transmission to the Schufa within the meaning of Art. 6 Para. 1 Letter f) DSGVO and thus the legality of the information transfer as a whole.
IV. What should dealers therefore pay attention to when transmitting data to credit bureaus?
In the event that a service owed is not provided by the customer despite the due date and the retailer wishes to report a payment disruption to a credit agency such as the Schufa, Section 31 (2) BDSG contains other requirements for the lawful transfer of data in addition to those mentioned above to the credit bureaus.
Among other things, the claim must have been established by a court and/or be undisputed. According to § 31 Section 2 No. 3 BDSG, it is also sufficient if the debtor has expressly acknowledged the claim. If the debtor did not expressly acknowledge the claim, the following requirements must also be met in accordance with Section 31 (2) No. 4 BDSG in addition to the requirements in the last section:
- the debtor must have received at least two written reminders after the claim has become due
- the first reminder must be at least four weeks in the past
V. Conclusion
Traders who pass on data to a credit agency and thus want to ensure a negative entry for a customer there must keep an eye on the data protection regulations. Otherwise, there is an inadmissible processing of personal data, which can have corresponding consequences, up to and including claims for damages from data subjects.
In any case, retailers must provide general information about the transfer of customer data to credit agencies in a sufficiently transparent manner as part of their data protection declaration. The data protection declarations that we provide to our clients as part of our Provide protection packages, of course, take this into account. Feel free to contact us if you have any further questions.
Tipp: Do you have any questions about the contribution? Feel free to discuss this with us in the
Entrepreneur group of the IT law firm on Facebook.