IP case law Court of Justice

of 7 Dec 2023, C-634/21 (SCHUFA Holding and Others)



JUDGMENT OF THE COURT (First Chamber)

7 December 2023 (*)

(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 22 – Automated individual decision-making – Credit information agencies – Automated establishment of a probability value concerning the ability of a person to meet payment commitments in the future (‘scoring’) – Use of that probability value by third parties)

In Case C-634/21,

REQUEST for a preliminary ruling under Article 267 TFEU from the Verwaltungsgericht Wiesbaden (Administrative Court, Wiesbaden, Germany), made by decision of 1 October 2021, received at the Court on 15 October 2021, in the proceedings

OQ

v

Land Hessen,

intervener:

SCHUFA Holding AG,

THE COURT (First Chamber),

composed of A. Arabadjiev, President of the Chamber, T. von Danwitz, P.G. Xuereb, A. Kumin (Rapporteur) and I. Ziemele, Judges,

Advocate General: P. Pikamäe,

Registrar: C. Di Bella, Administrator,

having regard to the written procedure and further to the hearing on 26 January 2023,

after considering the observations submitted on behalf of:

–        OQ, by U. Schmidt, Rechtsanwalt,

–        the Land Hessen, by M. Kottmann and G. Ziegenhorn, Rechtsanwälte,

–        SCHUFA Holding AG, by G. Thüsing and U. Wuermeling, Rechtsanwalt,

–        the German Government, by P.-L. Krüger, acting as Agent,

–        the Danish Government, by V. Pasternak Jørgensen, M. Søndahl Wolff and Y. Thyregod Kollberg, acting as Agents,

–        the Portuguese Government, by P. Barros da Costa, I. Oliveira, J. Ramos and C. Vieira Guerra, acting as Agents,

–        the Finnish Government, by M. Pere, acting as Agent,

–        the European Commission, by A. Bouchagiar, F. Erlbacher and H. Kranenborg, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 16 March 2023,

gives the following

Judgment

1        This request for a preliminary ruling concerns the interpretation of Article 6(1) and Article 22 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1, and corrigendum OJ 2018 L 127, p. 2; ‘the GDPR’).

2        The request has been made in proceedings between OQ and the Land Hessen (Federal State of Hesse, Germany) concerning the refusal of the Hessischer Beauftragter für Datenschutz und Informationsfreiheit (Data Protection and Freedom of Information Commissioner for the Federal State of Hesse, Germany; ‘the HBDI’) to order SCHUFA Holding AG (‘SCHUFA’) to grant an application lodged by OQ seeking to access and erase personal data concerning her.

 Legal context

 European Union law

3        Recital 71 of the GDPR provides:

‘The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention. Such processing includes “profiling” that consists of any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her. However, decision-making based on such processing, including profiling, should be allowed where expressly authorised by Union or Member State law to which the controller is subject, including for fraud and tax-evasion monitoring and prevention purposes conducted in accordance with the regulations, standards and recommendations of [European] Union institutions or national oversight bodies and to ensure the security and reliability of a service provided by the controller, or necessary for the entering or performance of a contract between the data subject and a controller, or when the data subject has given his or her explicit consent. In any case, such processing should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision. Such measure should not concern a child.

In order to ensure fair and transparent processing in respect of the data subject, taking into account the specific circumstances and context in which the personal data are processed, the controller should use appropriate mathematical or statistical procedures for the profiling, implement technical and organisational measures appropriate to ensure, in particular, that factors which result in inaccuracies in personal data are corrected and the risk of errors is minimised, secure personal data in a manner that takes account of the potential risks involved for the interests and rights of the data subject and that prevents, inter alia, discriminatory effects on natural persons on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation, or that result in measures having such an effect.’

4        Entitled ‘Definitions’, Article 4 of that regulation provides:

‘For the purposes of this Regulation:

(4)      “profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

…’

5        Entitled ‘Principles relating to processing of personal data’, Article 5 of that regulation provides:

‘1.      Personal data shall be:

(a)      processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);

(b)      collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; … (“purpose limitation”);

(c)      adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);

(d)      accurate and, where necessary, kept up to date; … (“accuracy”);

(e)      kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; … (“storage limitation”);

(f)      processed in a manner that ensures appropriate security of the personal data … (“integrity and confidentiality”);

2.      The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (“accountability”).’

6        Entitled ‘Lawfulness of processing’, Article 6 of the GDPR provides, in paragraphs 1 and 3 thereof:

‘1.      Processing shall be lawful only if and to the extent that at least one of the following applies:

(a)      the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b)      processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c)      processing is necessary for compliance with a legal obligation to which the controller is subject;

(d)      processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e)      processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f)      processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

3.      The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:

(a)      Union law; or

(b)      Member State law to which the controller is subject.

The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. …’

7        Entitled ‘Processing of special categories of personal data’, Article 9 of that regulation is worded as follows:

‘1.      Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

2.      Paragraph 1 shall not apply if one of the following applies:

(a)      the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

(g)      processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

…’

8        Entitled ‘Information to be provided where personal data are collected from the data subject’, Article 13 of that regulation provides, in paragraph 2 thereof:

‘In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:

(f)      the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.’

9        Entitled ‘Information to be provided where personal data have not been obtained from the data subject’, Article 14 of the GDPR provides, in paragraph 2 thereof:

‘In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:

(g)      the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.’

10      Entitled ‘Right of access by the data subject’, Article 15 of that regulation provides, in paragraph 1 thereof:

‘The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

(h)      the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.’

11      Entitled ‘Automated individual decision-making, including profiling’, Article 22 of that regulation provides:

‘1.      The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

2.      Paragraph 1 shall not apply if the decision:

(a)      is necessary for entering into, or performance of, a contract between the data subject and a data controller;

(b)      is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or

(c)      is based on the data subject’s explicit consent.

3.      In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

4.      Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.’

12      Entitled ‘Right to an effective judicial remedy against a supervisory authority’, Article 78 of the GDPR provides, in paragraph 1 thereof:

‘Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.’

 German law

13      Entitled ‘Protection of trade and commerce in the context of “scoring” and credit reports’, Paragraph 31 of the Bundesdatenschutzgesetz (Federal Law on data protection) of 30 June 2017 (BGBl. I, p. 2097; ‘the BDSG’), reads as follows:

‘(1)      The use of a probability value regarding specific future behaviour of a natural person for the purpose of deciding on the establishment, implementation or termination of a contractual relationship with that person (“scoring”) shall be permissible only if

1.      the provisions of data protection law have been complied with,

2.      the data used to calculate the probability value are demonstrably relevant to the calculation of the probability of the specific behaviour, on the basis of a scientifically recognised mathematical statistical method,

3.      the data used for the calculation of the probability value were not exclusively address data, and

4.      where address data are used, the data subject has been notified of the intended use of such data before the calculation of the probability value; the notification must be documented.

(2)      The use of a probability value determined by credit information agencies in relation to a natural person’s ability and willingness to pay shall, in the case where information about claims against that person is taken into account, be permissible only if the conditions under subparagraph 1 are met and claims relating to a performance owed but not rendered despite falling due are taken into account only if they are claims

1.      which have been established by a judgment which has become final or has been declared provisionally enforceable or for which there is a debt instrument pursuant to Paragraph 794 of the Zivilprozessordnung [(Code of Civil Procedure)],

2.      which have been established in accordance with Paragraph 178 of the Insolvenzordnung [(Insolvency Code)] and not contested by the debtor at the meeting for verification of claims,

3.      which the debtor has expressly acknowledged,

4.      in respect of which

(a)      the debtor has been given formal notice in writing at least twice after the claim fell due,

(b)      the first formal notice was given at least four weeks previously,

(c)      the debtor has been informed in advance, but at the earliest at the time of the first formal notice, of the possibility that the claim might be taken into account by a credit information agency and

(d)      the debtor has not contested the claim, or

5.      whose underlying contractual relationship may be terminated without notice on the ground of arrears in payment and in respect of which the debtor has been informed in advance of the possibility that account might be taken of them by a credit information agency.

The permissibility of the processing, including the determination of probability values and of other data relevant to creditworthiness, under general data protection law remains unaffected.’

 The dispute in the main proceedings and the questions referred for a preliminary ruling

14      SCHUFA is a private company under German law which provides its contractual partners with information on the creditworthiness of third parties, in particular, consumers. To that end, it establishes a prognosis on the probability of a future behaviour of a person (‘score’), such as the repayment of a loan, based on certain characteristics of that person, on the basis of mathematical and statistical procedures. The establishment of scores (‘scoring’) is based on the assumption that, by assigning a person to a group of other persons with comparable characteristics who have behaved in a certain way, similar behaviour can be predicted.

15      It is apparent from the request for a preliminary ruling that OQ was refused the granting of a loan by a third party after having been the subject of negative information established by SCHUFA and transmitted to that third party. OQ applied for SCHUFA to send her information on the personal data registered and to erase some of the data which was allegedly incorrect.

16      In response to that request, SCHUFA informed OQ of her score and outlined, in broad terms, the methods for calculating the scores. However, referring to trade secrecy, it refused to disclose the various elements taken into account for the purposes of that calculation and their weighting. Lastly, SCHUFA stated that it limited itself to sending information to its contractual partners and it was those contractual partners which made the actual contractual decisions.

17      By a complaint lodged on 18 October 2018, OQ asked the HBDI, the competent supervisory authority, to order SCHUFA to grant her request for access to information and erasure.

18      By decision of 3 June 2020, the HBDI rejected that application for an order, explaining that it was not established that SCHUFA did not comply with the requirements set out in Article 31 of the BDSG incumbent upon it with regard to its activity.

19      OQ appealed against that decision before the Verwaltungsgericht Wiesbaden (Administrative Court, Wiesbaden, Germany), the referring court, in accordance with Article 78(1) of the GDPR.

20      According to that court, it is important to determine, for the purposes of ruling on the dispute before it, whether the establishment of a probability value such as that at issue in the main proceedings constitutes automated individual decision-making within the meaning of Article 22(1) of the GDPR. If that question is answered in the affirmative, the lawfulness of that activity would be subject, under Article 22(2)(b) of that regulation, to the condition that that decision be authorised by EU law or Member State law to which the controller is subject.

21      In that regard, the referring court has doubts as to the argument that Article 22(1) of the GDPR is not applicable to the activity of companies such as SCHUFA. It bases its doubts, from a factual point of view, on the importance of a probability value such as that at issue in the main proceedings for the decision-making practice of third parties to which that probability value is transmitted and, from a legal point of view, mainly on the objectives pursued by that Article 22(1), and on the guarantees of legal protection enshrined by the GDPR.

22      More specifically, the referring court notes that it is the probability value which normally determines whether and how the third party will contract with the person concerned. Article 22 of the GDPR precisely aims to protect people against the risks linked to decisions purely based on automation.

23      By contrast, if Article 22(1) of the GDPR were to be interpreted as meaning that the status of ‘automated individual decision-making’ cannot be recognised, in a situation such as that at issue in the main proceedings, until the decision taken by the third party with regard to the data subject, this would result in a lacuna in legal protection. First, a company such as SCHUFA would not be required to provide access to the additional information to which the data subject is entitled under Article 15(1)(h) of that regulation because that company would not be the company which adopts ‘automated decision-making’ within the meaning of that provision and, consequently, within the meaning of Article 22(1) of that regulation. Secondly, the third party to whom the probability value is communicated could not provide that additional information because it does not have it.

24      Thus, according to the referring court, to avoid such a lacuna in legal protection, it would be necessary for the establishment of a probability value such as that at issue in the main proceedings to fall within the scope of application of Article 22(1) of the GDPR.

25      If such an interpretation were to be accepted, the lawfulness of that activity would then be subject to the existence of a legal basis at the level of the Member State concerned, under Article 22(2)(b) of that regulation. In the present case, while it is true that Article 31 of the BDSG may constitute such a legal basis in Germany, there are serious doubts as to the compatibility of that provision with Article 22 of the GDPR because the German legislature regulates only the ‘use’ of a probability value such as that at issue in the main proceedings, and not the establishment in itself of that value.

26      By contrast, if the establishment of such a probability value does not constitute automated individual decision-making within the meaning of Article 22 of the GDPR, the opening clause appearing in paragraph 2(b) of that Article 22 would also not apply to national regulations regarding that activity. In view of the exhaustive, in principle, nature of the GDPR and in the absence of any other normative competence for such national regulations, it seems that the German legislature, by subjecting the establishment of probability values to more advanced conditions of substantive lawfulness, specifies the regulated matter by going beyond the requirements set out in Articles 6 and 22 of the GDPR, without having regulatory power for this purpose. If this point of view were to be correct, this would modify the margin of examination of the national supervisory authority, which would then have to assess the compatibility of the activity of credit information agencies in the light of Article 6 of that regulation.

27      In those circumstances the Verwaltungsgericht Wiesbaden (Administrative Court, Wiesbaden) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

‘(1)      Is Article 22(1) of the [GDPR] to be interpreted as meaning that the automated establishment of a probability value concerning the ability of a data subject to service a loan in the future already constitutes a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects him or her, where that value, determined by means of personal data of the data subject, is transmitted by the controller to a third-party controller and the latter draws strongly on that value for its decision on the establishment, implementation or termination of a contractual relationship with the data subject?

(2)      If the first question is answered in the negative:

are Articles 6(1) and 22 of the [GDPR] to be interpreted as precluding national legislation under which the use of a probability value – in the present case, in relation to a natural person’s ability and willingness to pay, in the case where information about claims against that person is taken into account – regarding specific future behaviour of a natural person for the purpose of deciding on the establishment, implementation or termination of a contractual relationship with that person (scoring) is permissible only if certain further conditions, which are set out in more detail in the grounds of the request for a preliminary ruling, are met?’

 Admissibility of the request for a preliminary ruling

28      SCHUFA challenges the admissibility of the request for a preliminary ruling by arguing, in the first place, that the referring court is not called upon to review the content of a decision on a complaint, adopted by a supervisory authority such as the HBDI, since the judicial remedy against such a decision, provided for in Article 78(1) of the GDPR, serves only to verify whether that authority has complied with the obligations incumbent upon it under that regulation, in particular that of processing complaints, it being specified that that authority has discretion to decide whether and how it should act.

29      In the second place, SCHUFA maintains that the referring court does not set out the specific reasons why the questions referred would be decisive for the resolution of the dispute in the main proceedings. The purpose of the latter would be a request for information on an actual score and the erasure of that score. In the present case, SCHUFA has sufficiently complied with its information obligation and has already erased the score subject to the procedure.

30      In that regard, it should be borne in mind that, according to settled case-law of the Court, it is solely for the national court hearing the case, which must assume responsibility for the subsequent judicial decision, to determine, with regard to the particular aspects of the case, both the need for a preliminary ruling in order to enable it to deliver judgment and the relevance of the questions which it refers to the Court. Consequently, where the questions submitted concern the interpretation of a rule of EU law, the Court is in principle bound to give a ruling (judgment of 12 January 2023, DOBELES HES, C-702/20 and C-17/21, EU:C:2023:1, paragraph 46 and the case-law cited).

31      Accordingly, questions concerning EU law enjoy a presumption of relevance. The Court may refuse to give a ruling on a question referred by a national court only where it is quite obvious that the interpretation of a rule of EU law that is sought bears no relation to the actual facts of the main action or its purpose, where the problem is hypothetical, or where the Court does not have before it the factual or legal material necessary to give a useful answer to the questions submitted to it (judgment of 12 January 2023, DOBELES HES, C-702/20 and C-17/21, EU:C:2023:1, paragraph 47 and the case-law cited).

32      As regards, in the first place, the plea of inadmissibility based on an allegedly limited judicial review to which decisions on complaints adopted by a supervisory authority are subject, it should be borne in mind that, under Article 78(1) of the GDPR, without prejudice to any other administrative or non-judicial remedy, each natural or legal person is to have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

33      In the present case, the decision adopted by the HBDI as supervisory authority constitutes a legally binding decision, within the meaning of Article 78(1) of the GDPR. Having examined the merits of the complaint brought before it, that authority ruled on it and found that the processing of personal data contested by the applicant in the main proceedings was lawful.

34      With regard to the extent of the judicial review exercised over such a decision in the context of an action brought under Article 78(1), it is sufficient to note that a decision on a complaint adopted by a supervisory authority is subject to full judicial review (judgment of 7 December 2023, SCHUFA Holding (Discharge from remaining debts), C-26/22 and C-64/22, EU:C:2023:XXX, point 1 of the operative part).

35      The first plea of inadmissibility put forward by SCHUFA must therefore be rejected.

36      In the second place, it is clear from the request for a preliminary ruling that the referring court questions the criterion of review to be used when assessing, in the light of the GDPR, the processing of the personal data at issue in the main proceedings, that criterion depending on the applicability or not of Article 22(1) of that regulation.

37      Thus, it is not clear that the interpretation of the GDPR sought by the referring court bears no relation to the actual facts of the main action or its purpose and that the problem is hypothetical. Furthermore, the Court has before it the factual or legal material necessary to give a useful answer to the questions submitted to it.

38      Accordingly, the second plea of inadmissibility put forward by SCHUFA must also be rejected.

39      In those circumstances, the request for a preliminary ruling is admissible.

 Consideration of the questions referred

 The first question

40      By its first question, the referring court asks, in essence, whether Article 22(1) of the GDPR must be interpreted as meaning that the automated establishment, by a credit information agency, of a probability value based on personal data relating to a person and concerning his or her ability to meet payment commitments in the future constitutes ‘automated individual decision-making’ within the meaning of that provision, where a third party, to which that probability value is transmitted, draws strongly on that probability value to establish, implement or terminate a contractual relationship with that person.

41      In order to answer that question, it should be borne in mind, as a preliminary point, that the interpretation of a provision of EU law requires that account be taken not only of its wording, but also of its context and the objectives and purpose pursued by the act of which it forms part (judgment of 22 June 2023, Pankki S, C-579/21, EU:C:2023:501, paragraph 38 and the case-law cited).

42      As regards the wording of Article 22(1) of the GDPR, that provision provides that the data subject is to have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

43      The applicability of that provision is therefore subject to three cumulative conditions, namely, first, that there must be a ‘decision’, secondly, that that decision must be ‘based solely on automated processing, including profiling’, and, thirdly, that it must produce ‘legal effects concerning [the interested party]’ or ‘similarly significantly [affect] him or her’.

44      As regards, first, the condition relating to the existence of a decision, it should be noted that the concept of ‘decision’, within the meaning of Article 22(1) of the GDPR, is not defined by that regulation. However, it is apparent from the very wording of that provision that that concept refers not only to acts which produce legal effects concerning the person at issue but also to acts which similarly significantly affect him or her.

45      The broad scope of the concept of ‘decision’ is confirmed by recital 71 of the GDPR, according to which a decision evaluating personal aspects relating to a person, to which that person should have the right not to be subject, ‘may include a measure’ which either produces ‘legal effects concerning him or her’, or, ‘similarly significantly affects him or her’. Under that recital, the term ‘decision’ covers, for example, the automatic refusal of an online credit application or e-recruiting practices without human intervention.

46      The concept of ‘decision’ within the meaning of Article 22(1) of the GDPR is thus, as the Advocate General noted in point 38 of his Opinion, capable of including a number of acts which may affect the data subject in many ways, since that concept is broad enough to encompass the result of calculating a person’s creditworthiness in the form of a probability value concerning that person’s ability to meet payment commitments in the future.

47      As regards, secondly, the condition according to which the decision, within the meaning of that Article 22(1), must be ‘based solely on automated processing, including profiling’, as the Advocate General noted in point 33 of his Opinion, it is common ground that an activity such as that of SCHUFA meets the definition of ‘profiling’ appearing in Article 4(4) of the GDPR and therefore that that condition is met in the present case, since the wording of the first question referred explicitly refers to the automated establishment of a probability value based on personal data relating to a person and concerning that person’s ability to repay a loan in the future.

48      As regards, thirdly, the condition that the decision must produce ‘legal effects’ concerning the person at issue or affect him or her ‘similarly significantly’, it is apparent from the very wording of the first question referred that the action of the third party to whom the probability value is transmitted draws ‘strongly’ on that value. Thus, according to the factual findings of the referring court, in the event where a loan application is sent by a consumer to a bank, an insufficient probability value leads, in almost all cases, to the refusal of that bank to grant the loan applied for.

49      In those circumstances, it must be stated that the third condition to which the application of Article 22(1) of the GDPR is subject is also fulfilled, since a probability value such as that at issue in the main proceedings affects, at the very least, the data subject significantly.

50      It follows that, in circumstances such as those at issue in the main proceedings, in which the probability value established by a credit information agency and communicated to a bank plays a determining role in the granting of credit, the establishment of that value must be qualified in itself as a decision producing vis-à-vis a data subject ‘legal effects concerning him or her or similarly significantly [affecting] him or her’ within the meaning of Article 22(1) of the GDPR.

51      That interpretation is corroborated by the context in which Article 22(1) of the GDPR takes place and by the objectives and purpose pursued by that regulation.

52      In this regard, it is important to note that, as the Advocate General observed in point 31 of his Opinion, Article 22(1) of the GDPR confers on the data subject the ‘right’ not to be the subject of a decision solely based on automated processing, including profiling. That provision lays down a prohibition in principle, the infringement of which does not need to be invoked individually by such a person.

53      As follows from a combined reading of Article 22(2) of the GDPR and recital 71 of that regulation, the adoption of a decision based solely on automated processing is authorised only in the cases referred to in that Article 22(2), namely where that decision is necessary for entering into, or performance of, a contract between the data subject and a data controller (point (a)), where it is authorised by EU or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests (point (b)), or where it is based on the data subject’s explicit consent (point (c)).

54      Furthermore, Article 22 of the GDPR provides, in paragraphs 2(b) and 3 thereof, that suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests must be taken. In the cases referred to in points (a) and (c) of Article 22(2) of that regulation, the data controller is to implement at least the right of the data subject to obtain human intervention, to express his or her point of view and to contest the decision.

55      In addition, under Article 22(4) of the GDPR, it is only in certain specific cases that automated individual decision-making within the meaning of Article 22 are to be based on special categories of personal data referred to in Article 9(1) of that regulation.

56      Furthermore, in the case of automated decision-making, such as that referred to in Article 22(1) of the GDPR, first, the controller is subject to additional information obligations under Article 13(2)(f) and Article 14(2)(g) of that regulation. Secondly, the data subject enjoys, under Article 15(1)(h) of that regulation, the right to obtain from the controller, in particular, ‘meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject’.

57      Those enhanced requirements as to the lawfulness of automated decision-making and the additional information obligations of the controller and the related additional rights of access of the data subject are explained by the purpose pursued by Article 22 of the GDPR, consisting of protecting individuals against the particular risks to their rights and freedoms represented by the automated processing of personal data, including profiling.

58      That processing involves, as is apparent from recital 71 of the GDPR, the evaluation of personal aspects relating to the natural person concerned by that processing, in particular to analyse or predict aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements.

59      Those particular risks are, under that recital, likely to weigh on the legitimate interests and rights of the data subject, in particular taking account of discriminatory effects on natural persons on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation. It is therefore important, still according to that recital, to provide suitable safeguards and to ensure fair and transparent processing in respect of the data subject, in particular through the use of appropriate mathematical or statistical procedures for the profiling and the implementation of technical and organisational measures appropriate to ensure that the risk of errors is minimised.

60      The interpretation set out in paragraphs 42 to 50 of this judgment, and in particular the broad scope of the concept of ‘decision’ within the meaning of Article 22(1) of the GDPR, reinforces the effective protection intended by that provision.

61      On the other hand, in circumstances such as those at issue in the main proceedings, in which three stakeholders are involved, there would be a risk of circumventing Article 22 of the GDPR and, consequently, a lacuna in legal protection if a restrictive interpretation of that provision was retained, according to which the establishment of the probability value must only be considered as a preparatory act and only the act adopted by the third party can, where appropriate, be classified as a ‘decision’ within the meaning of Article 22(1) of that regulation.

62      In that situation, the establishment of a probability value such as that at issue in the main proceedings would escape the specific requirements provided for in Article 22(2) to (4) of the GDPR, even though that procedure is based on automated processing and that it produces effects significantly affecting the data subject to the extent that the action of the third party to whom that probability value is transmitted draws strongly on it.

63      Furthermore, as the Advocate General noted in point 48 of his Opinion, first, the data subject would not be able to assert, from the credit information agency which establishes the probability value concerning him or her, his or her right of access to the specific information referred to in Article 15(1)(h) of the GDPR, in the absence of automated decision-making by that company. Secondly, even assuming that the act adopted by the third party falls within the scope of Article 22(1) of that regulation in so far as it fulfils the conditions for application of that provision, that third party would not be able to provide that specific information because it generally does not have it.

64      The fact that the establishment of a probability value such as that at issue in the main proceedings is covered by Article 22(1) of the GDPR has the consequence, as noted in paragraphs 53 to 55 of this judgment, that it is prohibited unless one of the exceptions set out in Article 22(2) of that regulation is applicable and the specific requirements provided for in Article 22(3) and (4) of that regulation are complied with.

65      With regard, more specifically, to Article 22(2)(b) of the GDPR, to which the referring court refers, it is apparent from the very wording of that provision that the national law which authorises the adoption of an automated individual decision must lay down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests.

66      In the light of recital 71 of the GDPR, such measures must include, in particular, the obligation for the controller to use appropriate mathematical or statistical procedures, implement technical and organisational measures appropriate to ensure that the risk of errors is minimised and inaccuracies are corrected, and secure personal data in a manner that takes account of the potential risks involved for the interests and rights of the data subject and prevent, inter alia, discriminatory effects on that person. Those measures include, moreover, at least the right for the data subject to obtain human intervention on the part of the controller, to express his or her point of view and to challenge the decision taken in his or her regard.

67      It is also important to note that, in accordance with the settled case-law of the Court, any processing of personal data must, first, comply with the principles relating to the processing of data established in Article 5 of the GDPR and, secondly, in the light, in particular, of the principle of the lawfulness of processing, laid down in Article 5(1)(a), satisfy one of the conditions of the lawfulness of the processing listed in Article 6 of that regulation (judgment of 20 October 2022, Digi, C-77/21, EU:C:2022:805, paragraph 49 and the case-law cited). The controller must be able to demonstrate compliance with those principles, in accordance with the principle of accountability set out in Article 5(2) of that regulation (see, to that effect, judgment of 20 October 2022, Digi, C-77/21, EU:C:2022:805, paragraph 24).

68      Thus, in the event that the law of a Member State authorises, under Article 22(2)(b) of the GDPR, the adoption of a decision solely based on automated processing, that processing must comply not only with the conditions set out in the latter provision and in Article 22(4) of that regulation, but also with the requirements set out in Articles 5 and 6 of that regulation. Accordingly, Member States cannot adopt, under Article 22(2)(b) of the GDPR, regulations which authorise profiling in disregard of the requirements laid down by those Articles 5 and 6, as interpreted by the case-law of the Court.

69      With regard in particular to the conditions of lawfulness, provided for in Article 6(1)(a), (b), and (f) of the GDPR, which are likely to apply in a case such as that at issue in the main proceedings, Member States are not empowered to provide additional rules for the implementation of those conditions, such an option being, in accordance with Article 6(3) of that regulation, limited to the reasons referred to in Article 6(1)(c) and (e) of that regulation.

70      Furthermore, with regard more specifically to Article 6(1)(f) of the GDPR, Member States cannot, under Article 22(2)(b) of that regulation, dismiss the requirements resulting from the case-law of the Court following the judgment of 7 December 2023, SCHUFA Holding (Discharge from remaining debts) (C-26/22 and C-64/22, EU:C:2023:XXX), in particular, by definitively prescribing the result of the balancing of the rights and interests at issue (see, to that effect, judgment of 19 October 2016, Breyer, C-582/14, EU:C:2016:779, paragraph 62).

71      In the present case, the referring court states that only Paragraph 31 of the BDSG could constitute a national legal basis for the purposes of Article 22(2)(b) of the GDPR. However, it has serious doubts as to the compatibility of Paragraph 31 of the BDSG with EU law. Assuming that that provision is deemed incompatible with EU law, SCHUFA would act not only without legal basis, but would ipso iure disregard the prohibition laid down in Article 22(1) of the GDPR.

72      In this regard, it is for the referring court to verify whether Paragraph 31 of the BDSG can be classified as a legal basis authorising, under Article 22(2)(b) of the GDPR, the adoption of a decision solely based on automated processing. If that court were to reach the conclusion that Article 31 of the GDPR constitutes such a legal basis, it would still be up to it to verify whether the conditions set out in Article 22(2)(b) and (4) of the GDPR and those laid down in Articles 5 and 6 of that regulation are fulfilled in this case.

73      In the light of all the foregoing considerations, the answer to the first question is that Article 22(1) of the GDPR must be interpreted as meaning that the automated establishment, by a credit information agency, of a probability value based on personal data relating to a person and concerning his or her ability to meet payment commitments in the future constitutes ‘automated individual decision-making’ within the meaning of that provision, where a third party, to which that probability value is transmitted, draws strongly on that probability value to establish, implement or terminate a contractual relationship with that person.

 The second question

74      Given the answer to the first question, there is no need to answer the second question.

 Costs

75      Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the referring court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.

On those grounds, the Court (First Chamber) hereby rules:

Article 22(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

must be interpreted as meaning that the automated establishment, by a credit information agency, of a probability value based on personal data relating to a person and concerning his or her ability to meet payment commitments in the future constitutes ‘automated individual decision-making’ within the meaning of that provision, where a third party, to which that probability value is transmitted, draws strongly on that probability value to establish, implement or terminate a contractual relationship with that person.

[Signatures]

*      Language of the case: German.



Disclaimer