The Bottom Line
- Green Light for Fraud Prevention: Companies in Germany can lawfully share basic, non-negative customer data (e.g., the existence of a contract) with credit agencies like SCHUFA if the primary purpose is to prevent significant fraud.
- “Legitimate Interest” is Key: The court confirmed that fraud prevention can constitute a “legitimate interest” under GDPR Art. 6(1)(f), outweighing the customer’s privacy rights when the financial risks of fraud are high.
- Important Limitation: This ruling only covers the transmission of data for fraud prevention. It does not decide whether credit agencies can use this “positive” data to calculate a person’s general credit score.
The Details
A German consumer protection association brought a case against a major telecommunications provider, aiming to halt the practice of sharing “positive data” with the SCHUFA credit agency. This data does not concern missed payments or defaults; rather, it includes basic information like a customer’s name and the fact that a contract has been initiated or terminated. The company argued this data sharing was a crucial tool for preventing fraud. The case worked its way up to Germany’s highest civil court, the Federal Court of Justice (BGH), which has now provided important clarification on this common business practice.
The court sided with the telecommunications company, ruling that the data sharing was permissible under the GDPR‘s “legitimate interest” clause (Art. 6(1)(f)). The judges performed a balancing test, weighing the company’s need to protect itself against the privacy rights of its customers. They concluded that the company’s interest in preventing costly fraud schemes—such as those involving identity theft or individuals rapidly opening multiple contracts to obtain expensive smartphones—was significant enough to justify sharing limited, basic data. This decision confirms that businesses facing substantial fraud risks have a solid legal basis for collaborating with credit agencies on prevention.
However, the court’s ruling is narrowly focused and should not be misinterpreted as a free pass for unrestricted data sharing. The judges explicitly stated that their decision was limited to the lawfulness of transmitting the data for the specific purpose of fraud prevention. They deliberately did not rule on the subsequent question of how SCHUFA or other agencies are permitted to process this data—specifically, whether incorporating such “positive” contract information into a consumer’s overall credit score is legal. This remains a contentious and unresolved issue, leaving a critical area of data processing open for future legal challenges.
Source
Bundesgerichtshof (German Federal Court of Justice)
