Referral C-26/22 (SCHUFA Holding, 11 Jan 2022)

Is Article 77(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – ‘GDPR’; OJ 2016 L 119, p. 1), read in conjunction with Article 78(1) thereof, to be understood as meaning that the outcome that the supervisory authority reaches and notifies to the data subject

(a) has the character of a decision on a petition?
This would mean that judicial review of a decision on a complaint taken by a supervisory authority in accordance with Article 78(1) of the GDPR is, in principle, limited to the question of whether the authority has handled the complaint, investigated the subject matter of the complaint to the extent appropriate and informed the complainant of the outcome of the investigation,

or

(b) is to be understood as a decision on the merits taken by a public authority?
This would mean that a decision on a complaint taken by a supervisory authority would be subject to a full substantive review by the court in accordance with Article 78(1) of the GDPR, whereby, in individual cases – for example where discretion is reduced to zero – the supervisory authority may also be obliged by the court to take a specific measure within the meaning of Article 58 of the GDPR.

2. Is the storage of data at a private credit information agency, where personal data from a public register, such as the ‘national databases’ within the meaning of Article 79(4) and (5) of Regulation (EU) 2015/848 of the European Parliament and of the Council of 20 May 2015 on insolvency proceedings (OJ 2015 L 141, p. 19), are stored without a specific reason in order to be able to provide information in the event of a request, compatible with Articles 7 and 8 of the Charter of Fundamental Rights of the European Union of 12 December 2007 (‘the Charter’ – OJ 2007 C 303, p. 1)?

3a. Are private databases (in particular databases of a credit information agency) which exist in parallel with, and are set up in addition to, the State databases and in which the data from the latter (in casu, insolvency announcements) are stored for longer than the period provided for within the narrow framework of Regulation (EU) 2015/848, read in conjunction with the national law, permissible in principle?

3b. If Question 3a is answered in the affirmative, does it follow from the ‘right to be forgotten’ under Article 17(1)(d) of the GDPR that such data must be deleted where the processing period provided for in respect of the public register has expired?

4. In so far as point (f) of Article 6(1) of the GDPR enters into consideration as the sole legal basis for the storage of data at private credit information agencies with regard to data also stored in public registers, is a credit information agency already to be regarded as pursuing a legitimate interest in the case where it imports data from the public register without a specific reason so that those data are then available in the event of a request?

5. Is it permissible for codes of conduct which have been approved by the supervisory authorities in accordance with Article 40 of the GDPR, and which provide for time limits for review and erasure that exceed the retention periods for public registers, to suspend the balancing of interests prescribed under point (f) of Article 6(1) of the GDPR?