Authored By: Majoyeogbe Boluwatife Ebenezer
Obafemi Awolowo University
CASE NAME: OQ V LAND HESSEN (SCHUFA HOLDING) CITATION: C-634/21
COURT: COURT OF JUSTICE OF THE EUROPEAN UNION CHAMBER OF THE COURT OF JUSTICE.
JUDGEMENT: 7TH OF DECEMBER 2023
PARTIES:
OQ———— Plaintiff
Land Hessen ———— Defendant
Facts:
The case of OQ v Land Hessen concerned a German individual, identified as OQ, who applied for a bank loan that was ultimately rejected. The rejection was based on an assessment from SCHUFA, a credit reference agency that evaluates individuals’ creditworthiness for financial institutions. SCHUFA generates credit scores using algorithms that apply mathematical and statistical models to large amounts of personal financial data in order to estimate the likelihood of future behavior, such as the repayment of a loan.
In OQ’s case, the bank refused the loan after receiving a negative credit score from SCHUFA. OQ subsequently requested access to the personal data used in generating the score and asked that any inaccuracies be corrected or deleted. SCHUFA, however, only provided the credit score itself and a general description of its scoring process, explaining that full disclosure would infringe on trade secrets. SCHUFA also maintained that the bank, not the agency, was responsible for the loan 1refusal.
On 18 October 2018, OQ lodged a complaint with the Hessian Data Protection Authority, seeking detailed information on how the score was calculated and its consequences. The authority dismissed the complaint on 3 June 2020, finding SCHUFA’s practices lawful. OQ then appealed to the Administrative Court of Wiesbaden, which referred the matter to the Court of Justice of the European Union (CJEU) for a preliminary ruling.
ISSUES RAISED:
- Interpretation and application of Article 22 of the General Data Protection Regulation (GDPR) regarding automated individual decision-making, including profiling. 2. Whether Schufa owes and any responsibility to the Plaintiff
- Whether facts can be subjected to automation decision making (ADM) considering human involvement or Whether SCHUFA’s credit scoring constituted “automated individual decision-making” under GDPR, despite not making the final decision.
INTERPRETATION AND APPLICATION OF ARTICLE 22 OF THE GENERAL DATA PROTECTION REGULATION (GDPR) REGARDING AUTOMATED INDIVIDUAL DECISION-MAKING, INCLUDING PROFILING.
Article 22(1) GDPR establishes a negative right for individuals namely, the right “not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her, or significantly affects him or her in a similar way.”
In addition, Article 15(1)(h) GDPR grants individuals subject to ADM a ‘right of access.’ This allows them to request from data controllers “meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing.” This was at the core of OQ’s initial application.
However, Article 22 GDPR also provides certain exceptions to the general prohibition on ADM. A decision may be permitted if it is:
(i) necessary for the performance of a contract between the data subject and the controller;
(ii) authorised by national law of an EU member state with appropriate safeguards in place; or
(iii) based on the data subject’s consent.
WHETHER SCHUFA OWES AND ANY RESPONSIBILITY TO THE PLAINTIFF
The Court gave a broad interpretation to the term ‘decision’ under Article 22 GDPR when considering whether SCHUFA’s activities amounted to ADM. It held that, even though SCHUFA did not directly decide on the loan rejection, its provision of the credit score had a “determining role” in the final outcome, which was sufficient to qualify as a decision. In his Opinion, the Advocate General emphasized that the wide scope of the concept of a decision can cover “a number of acts which may affect the data subject in many ways.” Another important consideration was that SCHUFA, rather than the bank, was better placed to fulfil the information duties under Article 15(1)(h) GDPR, since the bank lacked knowledge of how the automated scoring processes operated. Likewise, the CJEU read the final part of Article 22(1) GDPR expansively, finding that the negative credit score assigned to OQ “at the very least […] significantly” affected her.2
WHETHER THE FACTS CAN BE SUBJECTED TO AUTOMATION DECISION MAKING (ADM) CONSIDERING HUMAN INVOLVEMENT OR WHETHER SCHUFA’S CREDIT SCORING CONSTITUTED “AUTOMATED INDIVIDUAL DECISION-MAKING” UNDER GDPR, DESPITE NOT MAKING THE FINAL DECISION.
The Court found that Article 22 GDPR is applicable even though SCHUFA itself does not make the final loan decision. This is because, in practice, the credit scores it generates have a decisive influence on banks or similar institutions when they decide whether to grant credit.
As a result, a decision made solely by automated means regarding an individual’s creditworthiness is not compliant with the GDPR. However, EU Member States may introduce national exemptions to this rule. In addition, the judgment imposes further information obligations for ADM processes used in credit scoring.3
ARGUMENTS:
The plaintiff was denied a loan by a bank based on a credit score produced by SCHUFA, a credit agency. Hence argues that OQ has a right to access detailed information on the personal data and the automated decision-making (ADM) processes used by SCHUFA under GDPR Article 15(1)(h).
OQ also Sought correction or erasure of incorrect personal data held by SCHUFA affecting her creditworthiness.4
The Defendant on the other hand argues that its credit scoring constituted automated individual decision-making under GDPR Article 22, which requires transparency and certain protections for individuals. Also SCHUFA claimed that they had to disclose detailed algorithmic information despite trade secret claims, and that their role was more than just preparatory.
Although SCHUFA acknowledged providing the credit score and a broad overview of how it was calculated but refused to disclose specific algorithm details citing trade secrets but argued that it did not make the actual lending decision; the final decision was made by the bank. Therefore, the bank is responsible and not them. Lastly, they also contended that their role was merely producing an automated score, a preparatory act, and thus it was not subject to GDPR obligations on automated decision-making under Article 22.5
JUDGEMENT
The Court decided on that the automated establishment of a probability value (credit score) by a credit information agency based on personal data constitutes automated individual decision making within the meaning of Article 22 GDPR. This applies when a third party (e.g., a bank) receiving the credit score relies strongly on it to make decisions that establish, implement, or terminate contractual relations affecting the individual.
SCHUFA’s role in creating the credit score is not merely preparatory but has a determining role in the credit decision process. As a result, the GDPR protections around automated decisions apply, which include the right of individuals to receive meaningful information about the logic involved and the potential consequences.
The decision of the court also captures the need for companies issuing ADM that significantly affect individuals to comply with GDPR’s transparency and fairness obligations. The Court sent the case back to the German Administrative Court (Verwaltungsgericht Wiesbaden) to decide on issues related to national law exemptions concerning automated credit scoring.6
LEGAL DECISION:
The court decision is guided by the reasoned that a credit score is not just background data but a decisive factor in granting or rejecting loans. The credit score is not a neutral input; in practice, banks heavily rely on it when deciding whether to grant a loan. So, the score effectively determines the outcome, making it part of the automated decision-making process. The rejection of the loan was dependent on SCHUFA analysisthrough automation. Since it significantly affects individuals, it qualifies as Automated Decision Making under Article 22 GDPR. Thus, SCHUFA must respect transparency, fairness, and information rights, unless a valid national exemption applies.
The CJEU’s judgment is important not only for parties engaged in producing or using credit scores but also for its broader implications as more organisations rely on service providers for algorithmic decision-making, including the use of AI systems. The ruling indicates that companies offering automated calculations or processes to clients, where those outputs guide decisions with legal or similarly significant effects on individuals, can fall within the scope of Article 22 GDPR, even if they are not the ones making the final decision themselves.7
CONCLUSION
In conclusion, this case brought clarity in respect to Article 22 of GDPR, especially in matters that falls under ADM. It answers to some extent what level will human involvement will determine automated decision. Setting precedent on who and what is responsible to a data subject in respect to ADM.
Reference(S):
1 Kempitlaw ‘SCHUFA: What does the landmark CJEU ruling on Automated Decision-Making mean for businesses?’ (kempitlaw , 2025) https://kempitlaw.com/insights/schufa-what-does-the-landmark-cjeu-ruling-on-automated decision-making-mean-for-businesses/ Accessed 22 August ,2025
2 Kempitlaw ‘SCHUFA: What does the landmark CJEU ruling on Automated Decision-Making mean for businesses?’ (kempitlaw , 2025) <https://kempitlaw.com/insights/schufa-what-does-the-landmark-cjeu-ruling-on automated-decision-making-mean-for-businesses/> Accessed 22 August ,2025
3 Michalsons ‘SCHUFA case | OQ v Land Hessen | Automated decision-making’ (Michalsons, 2025) < https://www.michalsons.com/blog/schufa-case-oq-v-land-hessen-automated-decision-making/76054 > Accessed 23 August ,2025
4 Goodwinlaw ‘CJEU ADM Decision Casts Wide Net Over Credit Scoring Agencies’ (Goodwinlaw, 26th January 2024)<https://www.goodwinlaw.com/en/insights/blogs/2024/01/cjeu-adm-decision-casts-wide-net over-credit-scoring-agencies > 23 August ,2025
5 Kempitlaw ‘SCHUFA: What does the landmark CJEU ruling on Automated Decision-Making mean for businesses?’ (kempitlaw , 2025) <https://kempitlaw.com/insights/schufa-what-does-the-landmark-cjeu-ruling-on-automated decision-making-mean-for-businesses/> Accessed 23 August ,2025
6 Michalsons ‘SCHUFA case | OQ v Land Hessen | Automated decision-making’ (Michalsons, 2025) < https://www.michalsons.com/blog/schufa-case-oq-v-land-hessen-automated-decision-making/76054 > Accessed 24 August ,2025
7 RPCLEGAL ‘CJEU rules on what constitutes “automated decision-making” under the GDPR’ (rpc legal, 2024) <https://www.rpclegal.com/snapshots/data-protection/spring-2024/cjeu-rules-on-what-constitutes automated-decision-making-under-the-gdpr/ > Accessed August 24 ,2025
