Privacy & Cybersecurity Law Blog

On January 28, 2014, the Federal Court of Justice of Germany clarified the scope of a data subject’s right of access to personal data in the context of credit scoring. Germany’s Federal Data Protection Act contains detailed and expansive provisions on the right of access where personal data are processed and shared to determine a data subject’s future behavior.

The court had to decide whether this required a credit reference agency to disclose (1) how its scoring algorithm weighed various factors and (2) how the reference groups used to arrive at a credit score were comprised. The full text of the judgment is not yet available but, according to the press release, the court held that while credit reference agencies must disclose all personal data referred to in the Federal German Data Protection Act, they do not have to disclose the two items mentioned above.

The court noted that the legislative intent behind the provision was to make credit scoring more transparent to consumers, while also protecting the credit reference agencies’ trade secrets (e.g., the scoring algorithms). Because transparency includes providing information that would enable a data subject to take action to change his or her score, data subjects must be informed about the specific matters the credit reference agencies take into account when calculating credit scores. That said, a data subject does not need to know the agency’s formula for weighing various factors or how the reference groups are comprised. Accordingly, data subjects cannot require credit reference agencies to disclose those types of details.

The judgment provides an important clarification by Germany’s highest civil court in an area heavily regulated by German data protection law. It is relevant to all businesses that process and share personal data subject to German law using predictive algorithms.