Voluntary deletion of 20 million data records: correct legal basis as an economic asset

The data in question are name, address, date of birth, information about the conclusion of a telecommunications contract and a reference to this contract. These positive data – i.e. who, when (and how often) has concluded a telecommunications contract with which provider – were transmitted by the telecommunications providers to the Schufa in connection with the conclusion of a telecommunications contract with individual customers. The main purpose stated of the positive data was to prevent fraud and data misuse by third parties. However, the data can also be used as a basis for calculating the creditworthiness of consumers, e.g. if individuals have only a single long-term contract or, conversely, a large number of short-term, frequently changing contracts that have not (yet) existed for a long time.

So-called negative data are independent of these positive data. This refers to information on payment defaults, which companies report to Schufa on an ad hoc basis.

Already in June 2018 and again in September 2021, the association of German data protection supervisory authorities criticised a reliance on Art. 6 para. 1 lit. f DSGVO – i.e. the legitimate interest of the company – as a legal basis for the transmission of positive data. In particular, large amounts of data relating to everyday business transactions would be collected and processed without the data subjects having given cause for this. In the view of the supervisory authorities, the interests of the data subjects would outweigh the interests of the telecommunications companies and the credit bureau. Accordingly, the transfer of positive data could only be based on consent pursuant to Art. 6 para. 1 lit. b DSGVO, which the telecommunications companies did not obtain.

Finally, in 2022, a consumer protection association sued the German subsidiary of Telefonica for an injunction against the transfer of positive data to Schufa Holding AG. At first instance, the Munich regional court ruled in favour of the consumer association in April 2023.

According to the court, the telecommunications provider had not chosen the necessary and proportionate means to achieve the various interests served by the data processing by transfering the positive data, but had chosen what it considered to be the most effective method. This, however, was inadmissible.

In particular, the court discusses in detail a large number of the interests provided by the company, discusses the effectiveness of milder means, and thus already partially denies the necessity of the transfer of the positive data to achieve the interests of the company. When balancing the interests of data subjects and company, the regional court then states that the defendant telecommunications company, together with the credit protection agency, creates an incident-free data collection which predominantly affects consumers who are neither at risk of creditworthiness nor at risk of identity theft or other fraudulent behaviour. This constitutes a significant infringement of the interests of the consumers concerned and therefore outweighs the interests of the company. The company’s legitimate interests are therefore insufficient as a legal basis.

The decision of the regional court has not yet become final and the telecommunications company has filed an appeal. For the time being, the ruling has no direct effect on Schufa Holding AG as well. Nevertheless, Schufa Holding AG, as the recipient of the positive data, has now given up its resistance of more than five years to the criticism of the supervisory authorities and announced that it will delete all positive data it has received. Nothing is yet known about the outcome of any administrative proceedings brought by the supervisory authorities against the companies involved.

The decision of the regional court and the indirect effects on Schufa show how important it is for companies to have a (correct) legal basis for each individual data processing operation. Otherwise, it can happen that processing operations are prohibited and data collections (have to be) deleted, even retrospectively and years later. This can have a significant impact on the business model, especially for data-driven companies, such as the deletion of several million data records, as seen in this case.​