- Name and contact details of the responsible office as well as the data protection officer
SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, Tel.: +49 (0) 6 11-92 78 0
The data protection officer of SCHUFA can be reached to Datenschutz Department at the a. m. address or by e-mail under firstname.lastname@example.org.
- Data processing by the SCHUFA
Purposes of data processing and legitimate interests pursued by SCHUFA or a third party
The SCHUFA processes personal data in order to provide authorized recipients with information for assessing the creditworthiness of natural and legal persons. Scores are calculated and transmitted for this purpose.
It only makes the information available if a legitimate interest in it has been credibly explained in individual cases and processing is allowed after weighing all interests.
The legitimate interest is given in particular before entering into transactions with a financial default risk.
The creditworthiness check serves to protect the receivers from losses in the lending business and at the same time opens up the possibility of protecting borrowers from excessive debt through advice.
The processing of the data also takes place for fraud prevention, seriousness testing, money laundering prevention, identity and age checks, address determination, customer care or risk management as well as tariffing or conditioning.
SCHUFA will inform about any changes of the purpose of the data processing according to art. 14 par. 4 of DS-GVO.
Legal basis for data processing
SCHUFA processes personal data on the basis of the provisions of the General Data Protection Regulation.
The processing takes place on the basis of consents and on the basis of art. 6 par. 1 letter f of the DS-GVO, insofar as the processing is necessary to safeguard the legitimate interests of the person responsible or a third party and not outweigh the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data.
Consents may be withdrawn at any time from the party concerned. This also applies to consents already granted before the entry into force of the DS-GVO.
The revocation of consent does not affect the legality of the personal data processed until the revocation.
Origin of the data
SCHUFA receives its data from its contractual partners. These are banks, savings banks, credit unions, credit unions, credit institutions, financial institutions and payment service providers in the European Economic Area and in Switzerland and, if applicable, other third countries (if there is a corresponding adequacy decision by the European Commission) -, factoring and leasing companies) as well as other contractual partners who use products of SCHUFA for the purposes mentioned under 2.1, in particular from the (shipping) trade, e-commerce, service, leasing, energy supply, telecommunications, insurance -, or collection area.
In addition, SCHUFA processes information from generally accessible sources such as public directories and official notices (debtor directories, insolvency announcements).
Categories of personal data being processed (personal data, payment history and contractual compliance)
- Personal data, e.g. name (where appropriate previous names, which will be provided on separate application), first name, date of birth, place of birth, address, previous addresses
- Information on the acceptance and contractual execution of a transaction (e.g. current accounts, installment loans, credit cards, garnishment protection accounts, basic accounts)
- Information about undisputed, due and repeatedly demanded or titled claims and their settlement
- Information about abusive or other fraudulent behavior such as identity or credit rating
- Information from public directories and official announcements
- Score values
Categories of recipients of personal data
Recipients are located in the European Economic Area, in Switzerland and, if applicable, other third countries (if there is a corresponding adequacy decision by the European Commission). Point 2.3.
Additional recipients may be external contractors of SCHUFA according to Art. 28 DS-GVO as well as external and internal SCHUFA positions. The SCHUFA is also subject to the statutory intervention powers of state agencies.
Duration of data storage
The SCHUFA stores information about persons only for a certain time. The decisive criterion for determining this time is the necessity. The SCHUFA has established regular intervals for an examination of the necessity of further storage or the deletion of personal data. According to this, the basic storage period of personal data is three years on the day after their completion.
Deviating from this e.g. deleted:
- Information about requests after twelve months on the day
- Information about non-disruptive contract data on accounts that are documented without the claim (eg checking accounts, credit cards, telecommunications accounts or energy accounts), information on contracts for which the evidence check is provided for by law (eg seizure protection accounts, basic accounts) and Guarantees and trading accounts held in credit immediately after notification of termination.
- Data from the debtor directories of the central enforcement tribunals after three years on a daily basis, but prematurely, if the SCHUFA can be proved to have been extinguished by the central enforcement court
- Information about consumer / insolvency proceedings or residual debt exemption proceedings, exactly three years after termination of the insolvency proceedings or granting of residual debt exemption. In special cases, an earlier deletion may also occur.
- Information about the rejection of an insolvency petition due to lack of assets, the repeal of the safeguards or the refusal of the debt relief on the day after three years
- Personal prefixes are stored exactly three years; thereafter, the necessity of continuing storage is tested for a further three years. Thereafter, they are deleted on a daily basis, unless long-term storage is required for identification purposes.
- Affected rights
Each data subject has the right to information to the SCHUFA according to Art. 15 DS-GVO, the right of correction according to Art. 16 DS-GVO, the right of deletion according to Art. 17 DS-BER and the right to restriction of processing according to Art. 18 DS-GMO.
The SCHUFA has set up a private customer service center for concerns of the persons concerned, in writing at SCHUFA Holding AG, Private Customer Service Center, PO Box 10 34 41, 50474 Cologne, by telephone on +49 (0) 6 11-92 78 0 and via an internet form can be reached at www.schufa.de.
In addition, it is possible to contact the supervisory authority responsible for the SCHUFA, the Hessian Data Protection Supervisor.
Consents may be withdrawn at any time from the party concerned.
According to Article 21 (1) of the GDPR, data processing can be objected to for reasons that arise from the particular situation of the person concerned. The objection can be made form-free and must be sent to SCHUFA Holding AG, Private Customer ServiceCenter, PO Box 10 34 41, 50474 Cologne.
- Profiling (scoring)
The SCHUFA information can be supplemented by so-called score values. Scoring uses collected information and past experience to create a forecast of future events.
All scores are calculated by the SCHUFA on the basis of the information stored about a person at the SCHUFA, which are also stated in the information pursuant to Art. 15 DS-GVO.
In addition, SCHUFA considers the recommendations of § 31 BDSG when scoring. The entries stored for a person are assigned to statistical groups of people that had similar entries in the past.
The method used is called "logistic regression" and is a well-founded, long-proven, mathematical-statistical method for predicting risk probabilities.
The following types of data are used by the SCHUFA to calculate scores, whereby not every type of data is included in each individual scoring calculation: general data (e.g. date of birth, gender or number of addresses used in business transactions), previous payment defaults, loan activity last year, credit usage, length credit history and address data (only if there is a small amount of personal credit-related information).
Certain information are neither stored nor taken into account in the calculation of scores, e.g.: information on nationality or special categories of personal data such as ethnic origin or information on political or religious attitudes according to Art. 9 DS-GVO.
The assertion of rights under the DS-GVO also, e.g. the accessing of the information stored at SCHUFA according to Art. 15 DS-GVO, has no influence on the score calculation.
The transmitted scores help the contractors in the decision-making and enter into the risk management there.
The risk assessment and assessment of the creditworthiness is carried out solely by the direct business partner, as only the latter has numerous additional information - for example from a loan application.
This applies even if it relies solely on the information and scores provided by SCHUFA.
In any case, a SCHUFA score alone is not a sufficient reason to reject a contract.
Further information on the creditworthiness scoring or the detection of conspicuous facts is available at www.scoring-wissen.de.