
Exclusive
Schufa stores out-of-date data from millions of consumers for long periods of time without being seen by the public. Research shows this non-delivery report and NW. It’s all legal, Shufa said, but data and consumer advocates are alarmed.
This is the real treasure that Shufa possesses, and it may have been her biggest secret until now. In addition to the “official” Schufa database, there is a second collection that even many experts knew nothing about: the “historical” data of millions of consumers, outdated information dating back many years and which, according to victims, has long since been deleted.
Old loans and credit cards, foreclosures and personal bankruptcies, debts that victims often paid off years ago. Confidential information that could cause great harm if it falls into the wrong hands.
Thus, in European data protection law there is a “right to be forgotten,” a legal obligation to delete old data after a certain period of time. Anyone who has paid off their debts once should not fall back into the trap of their past again and again. However, Schufa believes that it can also store and use such data on a permanent basis.
At the request of corporate clients such as banks, it calculates the solvency of consumers on a specific day in the past – but only as a test, he emphasizes. With these ratings, which are calculated based on historical data, customers can be shown how reliable the new Schufa rating, which was introduced in the spring thanks to a major promotional effort, is. Schufa is currently trying to bring this new product to market, and a treasure trove of data is helping.
Lawyer: “Data testing is not allowed”
From their point of view, such data checks are unacceptable,” says Ruth Janal, an expert in data protection law and professor at the University of Bayreuth. “Historical data provides some insight into the financial situation of people who have suffered in the past. This simply does not apply to Schufa’s contract partners.”
The explosiveness of the tests becomes clearer when you see who can receive their results: in addition to banks, these include telecommunications companies, energy suppliers, large trading companies, e-commerce providers and payment service providers. non-delivery report and SZ sent dozens of requests, but only three companies – a bank, a payment service provider and an energy supplier – admitted to using such historical Schufa data. Many companies responded evasively, some not at all. And some simply said that it was better to contact Shufa directly.
Consumer Advocates: Misuse of data possible
However, Shufa emphasizes that data processing under the contract is “strictly limited to testing and monitoring purposes.” They will also have to be “removed from banks and other companies once the tests are completed.” However, all this is problematic, says Claudio Seitz-Brandmeier of the Federal Association of Consumer Organizations (VZBV), “because it is very tempting for companies that receive this data not only to use this data for testing purposes, but to actually use it, for example, for making credit decisions.”
Beyond the potential for data misuse, there is also harm to consumers as they lose control of their data, says data protection lawyer Janal. According to the highest court decisions, “such loss of control may also constitute non-pecuniary damage requiring compensation.”
Shufa considers himself right
Everything is legal, but this is the main idea of Schufa. “The storage and further processing of historical data is based on several complementary data protection permissions,” the response states. non-delivery report and NW. Banks in particular are required by law to ensure that estimates are meaningful, which is why “Schufa is required to retain historical data for testing purposes.”
Other companies also require reliable consumer reviews, which must be pre-vetted and therefore have a “legitimate interest”. Data security expert Janal also questions the legitimacy of the shadow database itself – at least to this extent.
“Permanent storage of such historical data for indefinite future purposes is not permissible under the case law of the European Court,” says Janal. If you want to check the reliability of estimates, old data makes sense. “But this can be achieved with a much smaller data set,” says Janal. To do this, Schufa does not need the data of tens of millions of German citizens.
No interest from consumers?
Affected consumers have yet to hear anything. Neither the fact that your outdated data is still stored, nor the experiments that Schufa and its customers conduct with it. Even if you request information from Schufa, a so-called copy of the data.
According to the post, no one cares about this old data anyway: “Consumers especially want to know what their current credit score is and what data affects your score. That’s not the case with historical data.” Schufa wrote about this on its website a few days ago, making public the existence of such historical data for the first time – apparently in response to previous requests from non-delivery report and SZ on this topic.
The fact that consumers don’t need to know that such data is stored “is nonsense in my opinion,” Janal says. The right to information enshrined in the European General Data Protection Regulation “of course also includes data that Schufa calls historical data.”
Data Protection Expert requires investigation
Data protection expert Matthias Spielkamp from the non-governmental organization AlgorithmWatch believes that “the scale of the process cannot be overstated.” “Schufa has to wonder what level of irresponsibility exists here.” Now there is an urgent need to figure out what is happening with the data.
In fact, the data protection officer of the state of Hesse, responsible for Schufa, has been working on data testing since spring 2025. The legal basis is currently being studied, as well as whether consumers need to be informed by copying the data, as requested. However, the process is not yet complete.