What we have achieved
We built a functioning data donation platform and were able to motivate more than 4,000 people to provide us with their SCHUFA information – very sensitive information that people usually keep to themselves. The campaign led to more than 100,000 subject data requests to credit scoring companies, more than of them 30,000 to SCHUFA.
Spiegel Online and BR reported on the initiative and analysed the data sets independently of OpenSchufa in autumn 2018. The results substantiated our suspicion that the SCHUFA procedure to determine the creditworthiness of 67 million Germans is flawed and reinforces discrimination, even though we are unable to come up with the kind of evidence that will stand up in court.
We were able to prove that SCHUFA violated the GDPR’s data access provisions.
We have been able to show that the supervisory authority in charge, the Hessian State Data Protection Commissioner, keeps SCHUFA on a very long leash – in our opinion he is either unwilling or unable to adequately control SCHUFA.
Overall, thanks to crowdfunding and crowdsourcing (data donation), we have succeeded in communicating the intransparent conduct of the private company SCHUFA to the general public through the campaign itself and various media reports. As a result, the Federal Minister of Justice and Consumer Protection, Katharina Barley, has called for greater transparency in scoring and creditworthiness assessments.
What we didn’t accomplish
In addition, SCHUFA itself has obstructed us. When the General Data Protection Regulation (GDPR) came into force at the end of May 2018, SCHUFA changed its information practice: As a rule, the documents SCHUFA is legally obliged to provide free of charge to citizens now contain considerably less data than before.
Our opinion is that this information practice is in violation of the GDPR. To determine and to change this, however, would take a lot more time and resources.
We were therefore unable to collect enough meaningful data to systematically understand the SCHUFA procedure as well as we would have liked.
It is true that we made SCHUFA sweat. However, we have not yet succeeded in building up sufficient pressure to make the SCHUFA process more comprehensible to the public. We simply did not have the resources to follow up on it forcefully – to force Minister Barley to explain concretely what she is going to do to bring the change she publicly demanded. To persuade the parties to take a stand and demand change. To work with alliances to win over consumer protection organisations and other stakeholders to join the campaign.
The Hessian Data Protection Commissioner must (be able to) fulfil his supervisory duties.
The authority is responsible for monitoring SCHUFA. Obviously, the DPA is not up to this task. A private enterprise so central to social participation must be adequately and effectively monitored by democratically legitimised institutions.
The data protection commissioner – or another organisation to be determined as an alternative – must regularly, e.g. every two years, provide a comprehensive assessment of SCHUFA and comparable companies. This must not only be about the mathematical/statistical correctness of the procedure, but the following aspects should be considered:
- data storage and data consistency
- the social impact of possible discrimination effects
- the effective means of appeal available to those concerned.
The reports drawn up for this purpose must be fully accessible to the public.
The GDPR respectively the Federal Data Protection Act (BDSG) must be adapted.
- SCHUFA and other credit scoring companies argue that they do not have to explain their processes to those affected as laid down in Article 22 of the GDPR and Recital 71 (BDSG §31). The rationale: Because SCHUFA does not make a decision based on the score it calculates and/or no purely automatic decisions are made based on this score by SCHUFA’s customers (banks, telecom providers etc.), the scoring procedure (profiling) does not need to be explained. This absurd state must be fixed.
- It must be checked whether the SCHUFA and comparable companies comply with the criteria of Article 12 of the GDPR. It states that the data subject must be provided by the data controller with ‚all information relating to the processing operation ‘in a concise, transparent, intelligible and easily accessible form, using clear and plain language‘. It is more than doubtful that the SCHUFA information in its current form complies with this regulation.
- The GDPR must be amended in such a way that SCHUFA and comparable companies must provide information on the stored data and further information free of charge and in a structured, commonly used, machine-readable and interoperable format at short notice. The fact that SCHUFA currently has up to 30 days to provide access to digital data (as a jpg file) by postal mail is a farce. After a one-off online registration, in which proof of entitlement can also be provided (Postident, online identity card verification etc.), SCHUFA must enable the immediate retrieval of the data that credit rating companies are legally obliged to provide.
These demands have to be fulfilled. Minister Barley has called for changes, but has not yet announced any draft laws.
Last update: May 2019
Last but not least, we would like to thank the data teams from Spiegel Online and Bayerischer Rundfunk, who invested a lot of energy to bring some light into the „Black Box Schufa“.