The recent judgment (C-634/21) by the Court of Justice of the European Union (CJEU) in the SCHUFA case has significant ramifications, particularly for entities engaged in automated decision-making processes. The case specifically addresses credit reference agencies, establishing that when creating credit repayment probability scores, these agencies are involved in automated individual decision-making. This responsibility extends to both the credit reference agency and the lenders relying on these scores, placing them under the purview of Article 22 of the GDPR.


Article 22 of the GDPR restricts automated individual decision-making, allowing it only under specific circumstances such as contractual necessity, legal justifications, or explicit consent. The CJEU’s ruling emphasizes the need for robust safeguards when engaging in such automated decision-making processes, including the provision for human intervention, the right to express views, and mechanisms to challenge decisions. While the decision pertains to credit reference agencies, its broader implications are felt across industries employing predictive AI tools and automated decision-making services.

Simultaneously, the CJEU, on the same day, addressed insolvency data retention in cases C-26/22 and 64/22. The cases involved individuals (UF and AB) who underwent insolvency proceedings in Germany, seeking the deletion of their data retained by SCHUFA, a credit reference agency. The CJEU ruled on the duration of data retention, emphasizing that German law, which allows public information on insolvencies to be published for six months, should take precedence over private sector interests.

Moreover, the decision underscored the right to erasure under Article 17 of the GDPR, asserting that it applies when personal data has been unlawfully processed. The right to object under Article 21 was reiterated, with the CJEU emphasizing the need for controllers to cease processing personal data if a data subject objects, unless compelling legitimate grounds override the data subject’s interests.

Importantly, the CJEU affirmed individuals’ right to a full judicial review of decisions made by Data Protection Authorities (DPAs). This rejects a more limited interpretation and ensures that data subjects have a comprehensive mechanism to challenge decisions related to their data.

In conclusion, these CJEU rulings accentuate the critical importance of transparency, accountability, and robust data protection measures in the evolving landscape of automated decision-making and data retention. Organizations are urged to align their practices with these legal developments to ensure compliance and safeguard individuals’ rights in the digital age.

Does your organization have questions about automated decision-making? Contact us, the Experts in Data Privacy at for assistance.