1. Name and contact information for the controller as well as the company data protection ofﬁcer
SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, Tel.: +49 (0) 6 11-92 78 0
The SCHUFA company data protection ofﬁcer may be reached at the address listed above,
attn. Department of Data Protection or by email at firstname.lastname@example.org.
2. Data processing by SCHUFA
2.1 Purpose of data processing and legitimate interests pursued by SCHUFA or a third party
SCHUFA processes personal data in order to provide recipients with a legitimate interest information needed to evaluate the creditworthiness of individuals and legal entities. Scores
are calculated and provided to this end. It only provides information if a legitimate interest in such information is credibly shown in a particular case and processing such information is
permissible upon weighing all interests concerned. Without limitation, a legitimate interest is present upon entering into transactions with a ﬁnancial default risk. A credit assessment
serves to protect the recipient against losses in the lending business and, at the same time, provides an opportunity to protect borrowers from unreasonable indebtedness by providing
counselling. Furthermore, data is processed for purposes of fraud prevention, integrity assessment, money laundering prevention, identity and age veriﬁcation, address location, cus-
tomer service or risk management as well as tariff classiﬁcation and assessing conditions. Pursuant to Art. 14 (4) GDPR, SCHUFA will provide information regarding any changes to the
purposes for which it processes data.
2.2 Legal bases for data processing
SCHUFA processes personal data on the basis of the provisions of the General Data Protection Regulation. Data is processed on the basis of consent as well as on the basis of
Art. 6 (1) (f) GDPR provided that processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party and such interests are not overridden
by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Consents may be revoked at any time by declaration to the relevant
contractual partner. This applies in like manner to consents provided prior to the effective date of the GDPR. The revocation of consent does not affect the legality of personal data
processed prior to revocation.
2.3 Data sources
SCHUFA receives its data from its contractual partners. They are institutions, ﬁnance companies and payment service providers domiciled in the European Economic Area and Switz-
erland as well as third countries as applicable (to the extent an adequacy decision from the European Commission is available) that are exposed to a ﬁnancial default risk (e.g. banks,
savings banks, cooperative banks, credit card, factoring and leasing companies) as well as additional contractual partners who use SCHUFA products for the purposes described in
section 2.1, in particular (mail order) retailers, e-commerce companies, service providers, leasing, energy supply, telecommunications, insurance or collections companies. Furthermore,
SCHUFA processes information from generally accessible sources such as public registries and ofﬁcial publications (e.g. debtor registers, insolvency announcements).
2.4 Categories of personal information that is processed (personal data, payment history and contractual compliance)
- Personal data, e.g. surname (if applicable prior names that may be provided upon special request), given name, date of birth, place of birth, address, prior addresses
- Information regarding the initiation and execution of a transaction in accordance with the contract (e.g. giro accounts, instalment loans, credit cards, garnishment-exempt accounts,
- Information regarding undisputed, past-due claims subject to repeated dunning or reduced to judgement and their resolution
- Information regarding abusive or otherwise fraudulent activities such as identity theft or credit rating fraud
- Information from public registries and ofﬁcial publications
2.5 Categories of recipients of personal data
Recipients comprise contractual and business partners listed in section 2.3 domiciled in the European Economic Area and Switzerland as well as other third countries as applicable (to
the extent an adequacy decision from the European Commission is available for such countries). Additional recipients may include external contractors pursuant to Art. 28 GDPR as well
as external and internal SCHUFA recipients. SCHUFA is furthermore subject to the statutory powers of intervention held by public authorities.
2.6 Duration of data storage
SCHUFA stores information about persons only for a certain period.
Necessity is the decisive factor for deﬁning this period. SCHUFA has established standard periods for a review of necessity for further storage and/or deletion of personal data. Based
on these rules, the general storage period for personal data is three years from the date of their transaction. The foregoing notwithstanding, examples of other deletion periods include:
- Information regarding enquiries twelve months to the date
- Information regarding trouble-free contractual data related to accounts that are documented without the associated claim (e.g. giro accounts, credit cards, telecommunications
accounts or energy accounts), information regarding contracts for which an evidential review is provided by law (e.g. accounts exempt from garnishment, basic accounts) as well as
guarantees and trading accounts that are maintained on the credit side, immediately after notiﬁcation of termination
- Data from debtor registers of the central enforcement courts three years to the day, however earlier if SCHUFA is shown evidence of deletion by the central enforcement court
- Information on consumer/insolvency proceedings or residual-debt exemption proceedings three years to the day following termination of the insolvency proceedings or issuance of a
residual debt exemption. Deletion may be also be performed at an earlier date as specially warranted in speciﬁc cases.
- Information regarding the rejection of an insolvency petition due to a lack of assets, the suspension of a stay or the failure of the residual debt exemption, three years to the day
- Personal prior addresses remain stored for three years to the day; a review of the necessity of an additional three years of storage is conducted thereafter. Thereafter, they are deleted
three years to the day provided that a longer storage period is not required for identiﬁcation purposes.
3. Rights of the data subject
In relation to SCHUFA, every person concerned has the right of access under Art. 15 GDPR, the right of rectiﬁcation under Art. 16 GDPR, the right to erasure under Art. 17 GDPR and
the right to restrict processing under Art. 18 GDPR. SCHUFA has set up a consumer service centre for the concerns of data subjects. It may be reached in writing at SCHUFA Holding
AG, Privatkunden ServiceCenter, Postfach 10 34 41, 50474 Cologne, by telephone at +49 (0) 6 11-92 78 0 and via an online form available at www.schufa.de. Furthermore, it is
also possible to contact the supervisory authority responsible for SCHUFA, the Commissioner for Data Protection of Hesse. Consents may be revoked at any time by declaration to the
relevant contractual partner.
Pursuant to Art. 21 (1) GDPR, data processing may be objected to on grounds relating to the particular situation
of the data subject. An objection may be asserted without formal requirements and should be
addressed to SCHUFA Holding AG, Privatkunden ServiceCenter, Postfach 10 34 41, 50474 Cologne.
4. Proﬁle creation (Scoring)
The SCHUFA credit report may be supplemented by a so-called score. Scoring involves the creation of a forecast of future events on the basis of information collected and past
experience. SCHUFA fundamentally calculates all scores on the basis of information stored by SCHUFA regarding the relevant person; this information is provided in response to a
request pursuant to Art. 15 GDPR. Furthermore, SCHUFA complies with the provisions of § 31 Federal Data Protection Act (BDSG). On the basis of entries stored in association with
an individual, the individual is assigned to a statistical group of persons who had similar entries in the past. This process is described as “logical regression” and is a well-founded
mathematical-statistical method that has proven itself over time for forecasting risk probabilities.
The following forms of data are used by SCHUFA when computing a score, whereby not every form of data is used to compute every score: General data (date of birth, gender or
number of addresses used in business dealings), prior payment problems, credit activity for the previous year, credit utilisation, length of credit history as well as address data (only if
little personal credit-related information is available). Certain information is neither stored nor used for scoring purposes, for example: Information regarding nationality or particular
categories of personal data such as ethnic origin or information about political or religious beliefs in accordance with Art. 9 GDPR. Similar, the assertion of rights pursuant to the GDPR,
i.e. access to data stored by SCHUFA under Art. 15 GDPR, has no inﬂuence on the calculation of a score.
Scores that are provided support the contractual partners in the decision-making process and are considered as part of risk management. Risk assessment and evaluation of
credit worthiness is performed solely by the direct business partner, whilst only it has a wide variety of additional information available to it – for example information from the
credit application. This even applies in the event the business partner relies solely on information and scores provided by SCHUFA. However, by itself a SCHUFA score is not a
sufﬁcient basis to decline the conclusion of a contract.
Additional information on the scoring process or the recognition of unusual circumstances is available at www.Scoring-Wissen.de.