Credit scoring under the GDPR: Insights from the CJEU’s SCHUFA case

The Court of Justice of the European Union’s (CJEU) SCHUFA case revealed significant insight into the complex relationship between credit scoring processes, data protection regulations and the emerging artificial intelligence (AI) governance framework. This paper offers a thorough analysis of the court ruling in the SCHUFA case, focusing on the question of whether credit scoring processes are qualified as automated decision making (ADM) under the General Data Protection Regulation (GDPR). The paper starts by defining credit scoring and its importance in financial decision making, followed by the concerns associated with it. The analysis then shifts to focus on credit scoring systems in light of GDPR and the new European Union Artificial Intelligence Act (EU AI Act), before proceeding to the main facts of the case along with the decision of the Court. After discussing the potential implications of the CJEU’s decision on credit information agencies and other industries relying on ADM, the paper highlights the importance of considering robust measures to mitigate the risks associated with ADM.