In a ruling dated March 16, 2017 (case reference: 233 OWi 12/17), the Hamburg District Court confirmed the order issued by the Data Protection Commissioner Johannes Caspar.
Accordingly, Schufa’s competitor Bürgel must pay a fine of 15,000 euros due to a data protection breach.
Determination of creditworthiness via geoscoring
The Hamburg-based company “Bürgel Wirtschaftsinformationen” responded to an online company’s request for creditworthiness by sending it the customer’s score based solely on her residential address.
The Hamburg-based company did not have any information about the customer.
Nevertheless, Bürgel determined her score solely on the basis of her residential address.
According to this geoscoring method, creditworthiness is only derived from the payment history of neighbors.
Legal ban on geoscoring in the BDSG
Since an amendment to the Federal Data Protection Act in April 2010, however, such a procedure has been prohibited.
§ Section 28b BDSG states that a credit rating calculation based solely on address data is not permitted (so-called geoscoring).
§ Section 28b BDSG
“For the purpose of deciding on the establishment, performance or termination of a contractual relationship with the data subject, a probability value for a certain future behavior of the data subject may be collected or used if
[…]
3. address data is not used exclusively for the calculation of the probability value
[…].”
Data protection officer safe – Bürgel used geoscoring to calculate creditworthiness
The Hamburg Data Protection Commissioner Johannes Caspar saw Bürgel’s actions as a clear violation of the legal requirements for determining scoring values when checking creditworthiness.
Bürgel had calculated the customer’s creditworthiness solely on the basis of geoscoring and had not included any personal data in the calculation.
Bürgel does not want to have used geoscoring
The company objected that it had informed the online company that the customer was not known to the company.
Therefore, no personal data was transmitted.
However, this objection did not convince either the data protection officer or the Hamburg District Court (decision of 16.03.2017, ref.: 233 OWi 12/17).
The company had unlawfully linked the personal data with an unlawfully calculated scoring value.
This alone constituted a breach of data protection law.
A look into the future: Higher fines for geoscoring due to the EU data protection regulation that will apply from 2018
Bürgel’s complaint about the geoscoring violation will probably not be very successful.
According to Caspar
The ruling of the local court is consistent and complies with the clear legal requirements, which will continue to apply in the future.
The General Data Protection Regulation will increase the range of fines many times over from May 25, 2018.
It is therefore to be expected that such proceedings will no longer be necessary in future due to the far more effective deterrent.