FFinTech

The Determining Role of the Schufa Score in Third-Party Decisions

The Determining Role of the Schufa Score in Third-Party Decisions 1
0
Shares
0
0
0
0
0
0

Whether the Schufa score plays a determining role in third-party credit decisions (e.g. by banks) has, since the judgment of the European Court of Justice (ECJ) on 7 December 2023
(C-634/21), been critical in assessing whether the mere calculation of a Schufa score constitutes automated decision-making within the meaning of Article 22(1) GDPR, which is subject to only very strict exceptions. As previously reported on PayTechLaw, the ECJ did not presume that banks’ lending decisions are generally determined by the Schufa score. Rather, the Court held that it is for national courts to determine, on a case-by-case basis, whether the score played a determining role. Since then, credit reference agencies and users of their scores face legal uncertainty as to how to interpret this newly articulated criterion of determining influence.

Two years on from the ECJ’s decision, we review the current, and at times divergent, case law in Germany regarding the determining role of the Schufa score and consider the implications for banks if such a role is affirmed.

1. Current State of German Case Law on the Determining Role

The German case law regarding the determining role of the Schufa score under the ECJ judgment is divided.

1.1 Referral Proceedings before the Administrative Court of Wiesbaden

In the originating proceedings before the Administrative Court of Wiesbaden — which referred the legal question to the ECJ — the administrative court observed that, in the case at hand, a deficient score in the context of consumer loans almost invariably led to credit denial, even where the investment otherwise appeared worthwhile. This prompted the administrative court to frame the referral question to the ECJ in terms suggesting that the score did indeed play a determining role in third-party decisions. At the time of writing, the final judgment of the Administrative Court of Wiesbaden, following the ECJ’s response, remains outstanding.

1.2 First-Instance Judgments Affirming the Determining Role

The courts of first instance seems generally to taking a broad view:

Bamberg Regional Court inferred a “clearly determining decision-making criterion” from the commercial use of the score and various submitted bank letters, though it acknowledged that the score need not be the sole reason for a decision (judgment of 26 March 2025 – 41 O 749/24 KOIN). The court prohibited Schufa from producing and communicating the claimant’s score using exclusively automated means and awarded €1,000 in damages.

Bayreuth Regional Court presumed that, given Schufa’s central role in the credit market and the score’s paid use, it had a rebuttable determining influence over third-party decisions (judgment of 29 April 2025 – 31 O 593/24). The claimant had evidenced specific loan denials (partly referencing the score), which the court deemed persuasive. Schufa failed, in the court’s view, to rebut this presumption. The court noted that in highly automated mass-market operations, it is highly unusual for a negative Schufa result not to result in a refusal — unless dealing with significant lending decisions where other factors may weigh in. The court awarded the claimant €3,000 in damages based on multiple violations.

Leipzig Regional Court interpreted the ECJ as requiring only an abstract risk of determining influence for Article 22 GDPR to apply and therefore also prohibited the automated calculation and forwarding of scores (judgment of 29 May 2024 – 07 O 2658/23). This restrictive, consumer-protective interpretation supported the finding.

Schufa has announced it intends to appeal all of the above first-instance decisions.

1.3 Higher Regional Courts Rejecting the Determining Role

By contrast, the Higher Regional Courts (e.g. OLG Nuremberg, decision of 24 June 2025 – 3 U 247/25; OLG Munich, decision of 25 February 2025 – 37 U 3586/24) consistently require specific, substantiated proof that the individual decision was determined by the score. They rely on the fact that the ECJ established no general presumption of a determining role. To date, these courts regularly reject generalised claims and demand concrete evidence linking the score and its role to the decision in question. Thus far, these courts have dismissed the claimants’ arguments due to insufficiently substantiated submissions.

Where claimants failed to provide sufficient detail, the courts have found no determining influence. A general presumption is rejected, particularly in light of regulatory and consumer protection provisions (§§ 505a, 505b BGB; § 18a KWG), which require consideration of other factors such as income, collateral, and assets.

In the area of general consumer loans and paid financing instruments, there remains some dispute as to how mandatory such factors truly are — the wording of the statutory provisions leaves room for discretion. This is particularly contentious for micro-loans and models like Buy Now, Pay Later (BNPL). Neither Article 18 of the Consumer Credit Directive nor its German implementation conclusively stipulate how much weight such factors must carry when assessing the borrower’s ability to repay.

2. Practical Implications for Schufa Score Users

Thus far, individuals have brought legal actions exclusively against Schufa itself. However, from the perspective of those entities that obtain and use the Schufa score — such as banks or providers of microloans, including BNPL models — the question also arises as to what weight may lawfully be attributed to the Schufa score in their own decisions regarding the establishment of a legal relationship with the data subject, and in particular whether, and under what circumstances, an insufficient Schufa score may be used as a knock-out criterion.

This raises the further issue of whether banks may lawfully receive and process a score that may have been calculated unlawfully. While the prevailing view in legal literature holds that the General Data Protection Regulation does not recognise a general principle of contamination akin to the ‘fruits of the poisonous tree’ doctrine, each controller remains fundamentally responsible for its own processing. An unlawful transmission does not automatically render downstream use unlawful, provided that the recipient has a valid legal basis and adheres to the principles of fairness. The position is different, however, where the receiving party is involved as a (joint) controller in the unlawful transmission, or has actual knowledge of the illegality. Against this background, it is advisable to conduct a clear review of the origin and legal basis of the obtained score data, and to ensure thorough documentation within the decision-making process.

In summary, using the score as a knock-out criterion risks triggering the applicability of Article 22 GDPR. In this case, the calculation of credit score must rely on a valid legal basis under Article 22(2) GDPR. The Schufa Score users must also provide affected individuals with clear information and offer procedures for complaint and additional submissions. The decision-making process should be clearly documented, including the weight attributed to the score versus other criteria. Where the determining role is to be avoided, users must demonstrate a holistic assessment in which the score plays only a supporting role and is not decisive. This may also include documented human involvement.

3. Outlook

Credit reference agencies and users of their credit scores shall closely monitor the further development of case law — and, above all, any potential clarification by the highest courts as to how the notion of a determining role is to be interpreted The awaited judgment from the Administrative Court of Wiesbaden may also bring further light into the interpretation of the ECJ established requirement. Until then, a conservative approach is advisable — with robust governance, transparent communication, and reliable documentation — regardless of whether the score plays a determining role or is only used as an additional factor.

Additionally, the German legislature is working on a new statutory exemption under Article 22(2)(b) GDPR. The proposed § 37a BDSG aims to create a specific legal basis for the calculation of scores (especially the credit score). Whether this approach will meet EU law requirements remains to be seen as the legislative process unfolds.

0
0

Svetlana is lawyer at Annerton Rechtsanwaltsgesellschaft mbH. She advises national and international FinTech companies as well as financial services institutions on issues of IT and data protection law as well as intellectual property law. Her advisory focus is on outsourcing, IT-legal contract drafting and regulatory requirements for payment service providers in the interface area of IT, data protection and financial supervisory law.



By continuing, you accept our privacy policy.
You May Also Like
FFinTech
Zwischen Swipe und Aufsicht Social Commerce boomt – doch rechtlich ist nicht alles erlaubt. Wann Plattformen Zahlungsdienste erbringen und welche Ausnahmen greifen, erklärt der Beitrag. Regulation
Read More
  • 6 minute read

Between swiping and regulation

Social commerce is transforming social media platforms like TikTok into virtual marketplaces—but without a license to provide payment services, legal challenges arise. This article examines how existing payment regulations apply to new platform models and the regulatory tightrope they must walk.
Read More