The Federal Court of Justice (BGH) in Karlsruhe has issued a significant ruling impacting the data retention practices of credit agencies like Schufa, potentially undermining the principles of the General Data Protection Regulation (GDPR). The decision, delivered on December 28, 2025, effectively allows credit agencies to retain data pertaining to settled payment defaults for longer periods than initially envisioned under European data protection law.
The case centered on a plaintiff who challenged Schufa’s practice of maintaining records of three previously resolved debts for several years. These records were then factored into a credit score assessment, classifying the plaintiff as presenting a “very critical” risk of default. The plaintiff argued that this data retention violated GDPR principles, asserting an unreasonable infringement on personal data rights.
While a lower regional court initially dismissed the plaintiff’s claim, a higher appellate court partially ruled in favor, acknowledging potential GDPR concerns. However, the BGH overturned that ruling, sending the case back for reconsideration.
The court’s reasoning hinges on the assertion that the retention periods for data regarding payment defaults are not dictated by expiry deadlines established for public debt registries. Instead, the BGH indicated that approved internal guidelines employed by credit agencies can be utilized, provided they facilitate a “reasonable balancing of interests”. Crucially, the court stated these guidelines must demonstrably account for the specifics of each individual case during the balancing of competing interests.
This ruling has drawn immediate criticism from privacy advocates who argue it creates a loophole that allows credit agencies to circumvent the spirit, if not the letter, of the GDPR. Concerns are being voiced that the court’s interpretation could normalize the prolonged storage of potentially damaging information, disproportionately affecting individuals with past financial challenges.
Legal experts suggest this decision shifts the burden of justification squarely onto the supervisory authorities, requiring them to rigorously scrutinize the internal guidelines of credit agencies to ensure they genuinely serve a legitimate purpose and appropriately weigh individual rights against the interests of businesses. The case underscores the ongoing struggle to reconcile the commercial imperatives of credit scoring with the fundamental rights enshrined in the GDPR and sets a precedent that is likely to spur further legal challenges. The long-term implications for data privacy in Germany and potentially across the EU, remain to be seen.