The 2026 SCHUFA score reforms and implications for financial services firms

RegCORE Client Alert | German Regulatory Developments

QuickTake

On 17 March 2026, SCHUFA Holding AG (SCHUFA) – Germany's largest and most influential credit reference agency (CRA) – implemented a comprehensive reform of its scoring methodology, representing one of the most significant changes to consumer credit scoring practices in Germany in recent years.See press announcement (German here and in English here).Show Footnote SCHUFA, despite its quasi-regulatory influence over consumer access to credit and economic participation, is a private company rather than a public authority. It holds data on more than 68 million individuals in Germany, making its scoring methodology a matter of profound significance for virtually every adult in the country. Few financial transactions – whether obtaining a mobile phone contract, renting an apartment, or securing a mortgage – proceed without a SCHUFA enquiry. The reformed model, which succeeds the previous Score Generation V.3 introduced in 2016, dramatically reduces the number of criteria used to calculate consumer credit scores from approximately 250 data attributes to just 12 clearly defined factors, including payment history, the number and age of credit accounts, credit enquiries and the age of the consumer. This simplification is designed to enhance transparency and enable consumers to understand their score.

Alongside the new scoring model, SCHUFA launched a free digital account enabling consumers to access their current data and score at any time and significantly shortened the retention period for negative data – including aligning insolvency data retention with the six-month public availability period required under German law. These reforms directly address transparency and data protection concerns that have intensified following landmark rulings by the Court of Justice of the European Union (CJEU) in Cases C-634/21 and C-203/22, which held that automated credit scoring constitutes "automated individual decision-making" under Article 22 of the EU’s General Data Protection Regulation (GDPR) where the score is used as a decisive factor in credit decisions.

These developments have significant implications for financial services firms operating in Germany and across the EU. Firms relying on SCHUFA scores - or scores from other CRAs - must ensure compliance with Article 22 GDPR, including providing meaningful transparency to consumers about how scores influence credit decisions, implementing appropriate safeguards such as genuine human intervention and reviewing data retention practices. This Client Alert summarises the key changes to the SCHUFA methodology, the legal drivers behind the reform and the resulting obligations and key considerations for regulated firms.

What has changed in the SCHUFA methodology?

SCHUFA has introduced several key changes to its credit scoring methodology. Most notably, it has transitioned from a percentage-based system to a points-based model, enabling consumers to understand how strongly each criterion affects their overall score and to recalculate their score without requiring statistical expertise. Under the new system, scores range from 0 to 999 (rather than percentages), with higher values indicating stronger creditworthiness. Consumers are classified into score bands ("Scoreklassen") that correspond to the risk categories used by lenders. Importantly, scores under the old and new systems are not directly comparable-a former score of 98.5% will not translate into 985 points. The principal changes are summarised below:

A. Reduction of scoring criteria

As noted above, the new model uses only twelve clearly defined criteria to calculate consumer credit scores, replacing the approximately 250 data points used under the previous methodology. These criteria are:

• Payment disruptions (e.g., defaults, collection proceedings, or insolvency filings), which remain the most heavily weighted negative factor. SCHUFA has disclosed that consumers with no payment disruptions automatically receive 264 of the maximum 999 points in this criterion alone. Where a payment disruption has been recorded but subsequently resolved, the points allocation is significantly reduced: 100 points immediately after resolution, rising to 135 points after one year and 152 points after two years. Where payment disruptions remain unresolved, SCHUFA does not calculate a score at all.
• The number of existing credit accounts (loans, mortgages).
• The age of the oldest credit account.
• The number of credit cards held.
• The age of the oldest credit card.
• The number of current accounts (bank accounts).
• The number of telecommunications contracts.
• The number of mail order or e-commerce accounts.
• The total number of credit enquiries in recent history.
• The date of the most recent credit enquiry.
• The age of the SCHUFA record (i.e., how long the consumer has been known to SCHUFA).
• The age of the consumer.

SCHUFA has stated that the new score was developed around four guiding principles: explainability (Erklärbarkeit), transparency (Transparenz), influenceability (Beeinflussbarkeit) and fairness (Fairness). By limiting the score to these 12 factors, SCHUFA has sought to address the transparency concerns identified by the CJEU and by German data protection authorities. The new model is designed to be more readily comprehensible to consumers and more straightforward for financial services firms to explain.

The reform also introduces fairness-oriented adjustments to how credit enquiries are treated. Under the previous model, each credit enquiry and each subsequent contract conclusion were counted separately, potentially resulting in multiple score deductions for a single transaction. The new methodology consolidates enquiries made within a 28-day period into a single enquiry for scoring purposes. Furthermore, an enquiry followed by a contract conclusion is now treated as a single event rather than two separate scoring factors. This change directly addresses concerns that consumers who compare offers across multiple providers – for example, when seeking the best terms for a credit card – were previously penalised for prudent comparison shopping.

B. Transparency and reproducibility

A central objective of the reform is to enable consumers to understand and, in principle, reproduce or verify their own score. SCHUFA has characterised the new score as "the world's first fully transparent score" – a significant (and very welcome) departure from the opacity that has historically characterised credit scoring globally. SCHUFA has published explanatory materials detailing the twelve criteria, their relative influence on the score and the general direction in which each criterion affects the score. For example, having a long credit history generally improves one's score, while recent credit enquiries or payment disruptions reduce it.

C. Free SCHUFA account and data access

In conjunction with the score reform, SCHUFA launched a free digital account ("SCHUFA Account") that enables consumers to access their current SCHUFA data and score at any time, at no cost. The account is accessible via a web application at app.schufa.de or through the new SCHUFA mobile app (available on iOS and Android). Registration is free and can be completed either through identification via the German identity card with online identification function (eID) or by requesting a PIN letter by post. This goes beyond the statutory right to one free data access request per year under Article 15 GDPR (the right of access by the data subject) and the German Federal Data Protection Act (Bundesdatenschutzgesetz or "BDSG", being the German national legislation that supplements and implements the GDPR in Germany). The free account allows consumers to monitor their stored data on an ongoing basis, verify its accuracy and, where necessary, initiate corrections or dispute entries. Data and scores are updated at the beginning of each calendar quarter. SCHUFA has indicated that it will progressively integrate further services into the account, including free notifications of initial negative entries and its existing paid subscription products. This development materially strengthens consumers' ability to exercise their GDPR rights in practice.

Notably, the new SCHUFA Score also replaces the "Basisscore" that SCHUFA had provided to consumers since 2008 as a cross-industry orientation value. This historical score, while informative, did not align with the industry-specific scores that creditors actually used in their decision-making. The reform therefore addresses a long-standing disconnect: for the first time, consumers and businesses now see the same score, facilitating more open and trust-building communication between creditors and their customers.

D. Data retention changes

Under the previous model, SCHUFA retained data from public insolvency registers for up to three years, whereas under German law entries in the public insolvency register were deleted after six months. As part of the reforms, SCHUFA reduced the retention period for resolved debt data to comply with new legal requirements. Data relating to settled debts is now deleted after a significantly shorter period, and the retention of data from public insolvency registers has been aligned with the six-month public availability period.

Why the change: The CJEU Ruling

As explored in our earlier Client AlertAvailable here.Show Footnote the CJEU in December 2023 delivered a landmark ruling in Case C-634/21, holding that automated credit scoring by credit reference agencies constitutes "automated individual decision-making" within the meaning of Article 22 of the GDPR where the score is used by a third party (such as a bank or lender) as the decisive or substantially determinative factor in decisions affecting data subjects (i.e., the identified or identifiable natural persons to whom personal data relates). This decision was confirmed by a further judgment of the CJEU in Case C-203/22 in February 2025.

A. Automated decision-making under Article 22 GDPR

The CJEU held that where a credit reference agency calculates a probability score regarding a consumer's creditworthiness and transmits that score to a third party (such as a bank), and that third party relies substantially on the score to make a decision affecting the consumer (e.g., whether to grant credit), the scoring process itself falls within the scope of Article 22(1) GDPR. Article 22(1) provides that data subjects have the right not to be subject to a decision based solely on automated processing, including profiling (being any form of automated processing of personal data to evaluate certain personal aspects relating to a natural person, such as creditworthiness, reliability, or behaviour), which produces legal effects concerning them or similarly significantly affects them.

The practical consequence of this finding is that both the credit reference agency and the party relying on the score must ensure that one of the exceptions in Article 22(2) GDPR applies – namely, that the automated decision is (a) necessary for entering into or performing a contract, (b) authorised by Union or Member State law, or (c) based on the data subject's explicit consent. In all cases, appropriate safeguards must be in place, including the right of the data subject to obtain human intervention, to express their point of view and to contest the decision.

B. Transparency and the right to explanation

The CJEU's ruling reinforced the data subject's right under Article 15(1)(h) GDPR to receive "meaningful information about the logic involved" in automated decision-making processes. This imposes an obligation on both credit reference agencies and the financial institutions relying on their scores to provide consumers with a sufficiently detailed explanation of how a score was derived. While this does not necessarily require disclosure of the full algorithm or trade secrets, it does require that the key factors, their relative weight and the general methodology be communicated in a manner that the data subject can understand and, where appropriate, challenge. The CJEU's rulings have effectively made SCHUFA's previous approach untenable. While SCHUFA has characterised its transparency reforms as voluntary, commentators have noted that the CJEU's jurisprudence made greater transparency effectively unavoidable.

C. Data retention from public registers

The CJEU also addressed the practice of storing data derived from public insolvency registers beyond the period for which such data is publicly available. The Court held that this extended retention could not be justified under Article 6(1)(f) GDPR (the "legitimate interests" ground, which permits data processing where necessary for the purposes of the legitimate interests pursued by the controller or a third party, provided such interests are not overridden by the interests or fundamental rights of the data subject) without a proper balancing of interests, as the prolonged storage of negative data disproportionately affects the data subject's ability to participate in economic life.

Implications for regulated firms

The change in SCHUFA methodology and the move from percentages to points-based scoring has significant implications for regulated firms in Germany as well as those abroad doing business into Germany. Importantly, the new score replaces the six separate industry-specific scores that SCHUFA previously provided for banks, savings banks, cooperative banks, telecommunications, retail, and mail order/e-commerce. This consolidation means that all sectors now receive the same score, fundamentally changing how firms must consider and communicate credit assessments.

Transition timeline and adoption

• SCHUFA corporate customers have been able to test and deploy the new score since April 2025. As of March 2026, approximately 25 percent of companies that previously used SCHUFA's industry-specific scores have transitioned to the new unified score. Early adopters include banks as well as retail, mail order, and e-commerce companies.
• The new score also reflects changes in consumer behaviour since the previous Score Generation V.3 was introduced in 2016. SCHUFA has noted that the prevalence of mini-credits has increased significantly, and comparison platforms are now widely used for shopping for financial products. These market developments were incorporated into the design of the new methodology.
• For regulated financial institutions, particularly banks, the transition requires notification to and approval by the competent banking supervisory authority before implementation. To facilitate an orderly transition, SCHUFA has established a transition period extending until the end of 2028, during which both old and new scoring methodologies will remain available. Firms should plan their migration strategies accordingly, taking into account internal change management processes, regulatory approval timelines, and the need to update downstream systems and customer communications.

GDPR compliance and automated decision-making obligations

As discussed above, the CJEU ruling confirmed that financial institutions relying substantially on SCHUFA scores (or scores from other credit reference agencies) in credit decisions are subject to the obligations of Article 22 GDPR. This means that firms must ensure:

They have a lawful basis for automated decision-making, such as the necessity of scoring for entering into a credit agreement or explicit consumer consent. They provide affected consumers with meaningful information about the logic of the scoring, the significance of the score and the envisaged consequences of the automated processing. They implement appropriate safeguards as required by Article 22(3) GDPR, including the right to human intervention, the right to express a point of view and the right to contest the decision. Where a consumer challenges a credit decision made primarily on the basis of a credit score, the firm must be able to demonstrate that a genuine, individualised review was conducted.

Financial institutions should review their existing lending processes, automated decision-making frameworks and customer-facing disclosures to ensure compliance with these requirements. In particular, firms should assess whether their reliance on third-party credit scores constitutes "solely automated" decision-making and, if so, whether the appropriate exceptions and safeguards under Article 22(2) GDPR are in place.

Transparency and disclosure to customers

The reforms substantially raise the bar for transparency in credit scoring. Financial services firms that use SCHUFA scores in their decision-making processes are now expected to be able to explain to customers, in clear and accessible terms, which factors contributed to a credit decision and how the score was derived. Because SCHUFA has published the twelve criteria and their directional effects (as detailed above), financial services firms may reference this published methodology in customer communications. However, firms should ensure that explanations are tailored to the specific decision at hand and are not merely generic disclosures.

Firms should also be prepared to respond to increased volumes of customer enquiries regarding credit scores and their impact on lending decisions, given the heightened public awareness resulting from the reforms and the availability of free SCHUFA accounts.

Data retention and negative data

The CJEU's ruling on data retention has direct implications for how financial institutions and their service providers handle negative credit data. Firms should ensure that their internal data retention policies are aligned with the shortened retention periods now observed by SCHUFA, particularly with respect to insolvency data and settled debts. Continuing to rely on stale or improperly retained negative data in credit decisions could expose firms to regulatory enforcement action and civil liability under the GDPR.

Financial institutions should also consider whether their contractual arrangements with credit reference agencies adequately address data retention obligations and whether they have appropriate processes for updating or removing outdated data.

Impact on credit risk assessment practices

The reduction from approximately 250 to twelve scoring criteria may affect the granularity and predictive power of credit scores available to financial institutions. Firms should evaluate whether the new scoring model provides a sufficient basis for their risk assessment and credit underwriting processes or whether supplementary data sources or internal scoring models may be necessary to maintain the desired level of risk differentiation.

At the same time, the simplified model may reduce the incidence of scoring anomalies or errors arising from complex and opaque data processing, potentially decreasing the number of consumer disputes and the associated operational burden for firms.

In this regard, SCHUFA has emphasised that the new score maintains a high level of predictive accuracy ("Prognosegüte"), as confirmed by testing conducted by corporate customers. The reformed methodology thus seeks to balance transparency with continued reliability for credit risk assessment purposes.

SCHUFA has also published data on the impact of the transition to the new scoring methodology. According to the company, 83 percent of consumers will remain in the same score class under the new system. Nine percent of consumers will see an improvement in their score class, while eight percent will experience a deterioration – most commonly a shift from the "excellent" (hervorragend) to the "good" (gut) category. The new score is also designed to improve more quickly in response to reliable payment behaviour, which SCHUFA has noted may particularly benefit younger consumers who have not yet had the opportunity to establish an extensive credit history.

Contractual and vendor management considerations

Financial services firms that use SCHUFA data or scores under contractual arrangements should review those agreements in light of the reforms. Key areas for review include data processing agreements under Article 28 GDPR (which governs the relationship between data controllers and data processors, requiring written contracts that set out the subject matter, duration, nature and purpose of processing, and the obligations and rights of the controller), the scope of data shared and received, data retention and deletion obligations and any representations regarding the methodology or reliability of scores. Firms should also assess whether additional vendor due diligence is warranted in connection with other credit reference agencies that have not yet undertaken comparable transparency reforms.

Key priorities for contractual and policy documentation

In light of the SCHUFA reforms and the binding principles established by the CJEU, regulated firms should prioritise reviewing and updating their contractual documentation and internal policies. The following areas may warrant particular attention:

Contractual documentation priorities

• Data processing agreements: Firms should review and, where necessary, amend their Article 28 GDPR data processing agreements with SCHUFA and other CRAs to include: updated data retention provisions reflecting SCHUFA's shortened retention periods (including the six-month period for insolvency data); express obligations on the CRA to provide sufficient information to enable the firm to explain scoring logic to consumers in accordance with Articles 15(1)(h) and 22 GDPR; notification requirements obliging the CRA to inform the firm promptly of material changes to scoring methodology; cooperation clauses requiring timely response to data verification requests and consumer disputes; audit rights enabling the firm to verify CRA compliance; updated liability and indemnity provisions addressing potential claims arising from non-compliant data retention or methodology opacity; and provisions addressing the transition period to the end of 2028.
• Vendor contracts and service level agreements: Existing contracts with credit reference agencies should be assessed to ensure they contain adequate representations regarding the methodology and reliability of scores, clear data retention and deletion obligations aligned with GDPR requirements, provisions requiring the CRA to notify the firm of material changes to scoring criteria or methodology and appropriate liability and indemnity provisions in respect of non-compliance with data protection requirements.
• Consumer-facing terms and conditions: Credit agreements and related consumer-facing documentation should be updated to include: clear and prominent disclosures regarding the use of automated credit scoring in lending decisions; an explanation of the key factors that may influence the decision, with reference to the twelve published SCHUFA criteria where applicable; express provisions setting out the consumer's rights under Article 22(3) GDPR (including the right to obtain human intervention, to express their point of view and to contest the decision); contact details and procedures for exercising human intervention rights; information on how the consumer can access their credit data and score through the free SCHUFA Account; and confirmation that the firm will conduct a genuine review of contested decisions. Such disclosures should be drafted in plain language and prominently displayed.
• Privacy notices and pre-contractual disclosures: Privacy notices should be amended to include: clear identification of automated decision-making that produces legal effects or similarly significantly affects the data subject; meaningful information about the logic involved in credit scoring, including reference to the twelve published SCHUFA criteria and their directional effects; the significance and envisaged consequences of such processing; information about the data sources used; the legal basis for processing (including where reliance is placed on Article 22(2)(a) or (c) GDPR); the data subject's rights under Article 22 GDPR; and applicable data retention periods. These disclosures should be provided at the time of data collection and remain accessible throughout the customer relationship.
• Broker and intermediary agreements: Agreements with brokers and introducers should include: obligations on the intermediary to provide consumers with required disclosures regarding automated decision-making and credit scoring at the point of application; requirements to obtain and document any necessary consents; provisions ensuring the intermediary does not make representations inconsistent with the firm's disclosures; obligations to notify consumers of their Article 22 GDPR rights; indemnities in respect of failures to provide required disclosures; and audit rights enabling the firm to verify intermediary compliance.

Policy documentation priorities

• Automated decision-making policies: The firm's automated decision-making policy should include: a clear definition of “solely automated decision-making” consistent with the CJEU's interpretation, recognising that reliance on third-party credit scores as a decisive factor constitutes automated decision-making under Article 22 GDPR; a classification of credit decisioning processes according to the degree of automation and the role of credit scores; specified thresholds or criteria for when a decision is deemed to be “based solely” on automated processing; mandatory safeguards for each category of automated decision, including transparency obligations and human intervention rights; governance arrangements with designated responsibility for oversight; and periodic review requirements to ensure continued compliance as methodologies and regulatory expectations evolve.
• Human intervention procedures: The firm's human intervention policy should specify: the criteria that trigger the right to human review (including consumer requests and specified decision outcomes); the qualifications required for personnel conducting reviews, including relevant training and decision-making authority; the scope of information to be considered (including the credit score, underlying data, consumer representations and relevant contextual factors); the standard of review to be applied, ensuring substantive assessment rather than procedural confirmation of automated outputs; the authority of reviewers to reach different outcomes than the automated process, including the ability to approve applications declined by automated systems; documentation requirements for reviews sufficient to demonstrate compliance; timeframes for completing reviews and communicating outcomes; and escalation procedures for complex cases. Procedures that amount to mere procedural formalities or 'rubber-stamping' of automated outputs will not satisfy Article 22 GDPR.
• Data retention policies: Internal data retention schedules should be aligned with SCHUFA's shortened retention periods, including the six-month retention period for data from public insolvency registers and earlier deletion of resolved debt data. Policies should include: clear prohibition on reliance on negative credit data retained beyond the periods now observed by SCHUFA; procedures for the timely deletion or updating of negative credit data held internally; requirements to verify the currency of credit data obtained from CRAs before relying on it in credit decisions; documentation of the legal basis for retention of credit-related personal data; and periodic review mechanisms to ensure retention periods remain aligned with evolving regulatory expectations.
• Transparency and disclosure policies: Firms should establish clear protocols for explaining credit scoring logic to consumers. These policies should reference the twelve published SCHUFA criteria and their directional effects, provide templates or guidance for staff responding to consumer enquiries and ensure that explanations are tailored to the specific decision at hand rather than consisting of generic disclosures.
• Vendor due diligence policies: Enhanced due diligence procedures should be implemented for credit reference agencies, with particular attention to CRAs that have not yet adopted transparency reforms comparable to those undertaken by SCHUFA. Policies should require periodic assessment of CRA methodologies, data retention practices and compliance with applicable data protection requirements.
• Cross-border consistency: For firms operating across multiple EU Member States, policies should be harmonised to ensure consistency in automated decision-making frameworks, documentation standards and review mechanisms across jurisdictions. This is particularly important given that the CJEU's interpretation of Article 22 GDPR applies uniformly across the EU and will shape supervisory expectations in all Member States.

Regulatory framework interactions

The GDPR obligations arising from the SCHUFA reforms interact with other regulatory frameworks, creating specific contractual and policy documentation requirements. Firms should ensure that credit agreements and pre-contractual information documents satisfy both the Consumer Credit Directive (Directive 2008/48/EC, as amended) and GDPR transparency requirements simultaneously. The forthcoming revised Consumer Credit Directive (Directive 2023/2225) will introduce enhanced explanation requirements that align with the CJEU's interpretation of Article 22 GDPR. Payment service providers offering overdraft facilities should review their framework agreements to ensure human intervention mechanisms are available for instant credit decisions. Investment firms using automated assessments in suitability determinations should review their policies to assess whether such processes constitute automated decision-making under Article 22 GDPR. Critically, the EU Artificial Intelligence Act (Regulation 2024/1689) classifies AI systems used to evaluate creditworthiness as 'high-risk' under Annex III, requiring extensive documentation including risk management systems, data governance, transparency documentation and human oversight procedures – requirements that become fully effective from August 2026. Regulated financial institutions should also note that the transition to the new SCHUFA methodology may require notification to or approval from BaFin before implementation and should plan their regulatory engagement timeline accordingly given the transition period extending to the end of 2028.

Documentation and record-keeping requirements

Policies should establish comprehensive documentation requirements including: records of all credit decisions made using automated processing, including the score relied upon and the factors considered; records of all human intervention reviews, including the information considered, the reasoning applied and the outcome; records of consumer disputes and their resolution, including correspondence with CRAs; evidence of disclosures provided to consumers at each stage of the credit process; and audit trails sufficient to reconstruct the decision-making process in the event of regulatory enquiry, litigation or consumer complaint. Records should be retained for a period sufficient to respond to regulatory enquiries and legal proceedings, taking into account applicable limitation periods.

Dispute resolution procedures

Consumer dispute resolution policies should include: a clear and accessible process for consumers to challenge credit decisions, communicated at the point of decision; defined timeframes for acknowledging disputes (typically five to ten business days) and for completing substantive reviews; requirements for qualified personnel with genuine decision-making authority to conduct reviews; specified information to be considered, including the credit score, underlying data and any consumer representations; requirements for reasoned responses explaining the outcome and factors considered; escalation pathways for consumers dissatisfied with initial review outcomes; and procedures for coordinating with SCHUFA or other CRAs where the consumer disputes underlying data accuracy. Contractual arrangements with CRAs should include provisions requiring timely response to data verification requests.

Consumer protection perspective: residual concerns

While the reforms represent a significant advance in transparency, consumer advocates have identified residual concerns that firms should be aware of. The Verbraucherzentrale NRW (Consumer Protection Centre of North Rhine-Westphalia) has noted that certain demographic groups may remain structurally disadvantaged under the new methodology. 

In particular, younger consumers who have not yet had the opportunity to establish a credit history, and individuals who relocate frequently due to education or employment, may find it more difficult to achieve high scores – although SCHUFA has indicated that the new score is designed to improve more quickly for those with reliable payment behaviour, which may partially mitigate this concern. 

Additionally, consumer advocates have cautioned that the new system could inadvertently influence consumer behaviour in ways that are not necessarily optimal – for example, through "buy now, pay later" or invoice payment options that trigger credit enquiries. The Verbraucherzentrale has also observed that consumers who frequently compare offers and switch providers may still incur score deductions, although the 28-day consolidation rule should reduce this effect.

Consumer advocates have also emphasised that the risk of erroneous entries persists. Debt collection agencies may report payment disruptions or make enquiries even where the underlying claim is disputed or unfounded. Where this occurs, affected consumers bear the burden of identifying and correcting inaccurate data – a process that can be time-consuming and frustrating. Firms should therefore maintain robust procedures for responding to consumer disputes regarding credit data and should not treat SCHUFA data as infallible. The Verbraucherzentrale recommends that consumers regularly check their stored data and exercise their right to a free data access request, which remains available independently of the new SCHUFA Account.

More fundamentally, a number of legal commentators have noted that while the new transparency is welcome, it does not automatically resolve questions about the legal permissibility of specific scoring factors in individual cases. Transparency answers the question of which factors affect the score, but not whether a particular negative impact is legally permissible in a given case. Firms should therefore remain alert to the possibility of consumer challenges to score-based decisions, even under the new transparent methodology.

Finally, while SCHUFA has presented the new score as providing greater transparency and consumer control, the Verbraucherzentrale has noted that the practical impact of the score on credit decisions remains significant. In mass-market transactions, particularly in e-commerce, the SCHUFA score often functions as the decisive factor in whether a contract is concluded and on what terms – even if SCHUFA itself characterises the score as merely one input among several. Firms should be aware that consumers may increasingly scrutinise and challenge score-based decisions and should ensure that their processes for human review and dispute resolution are robust and genuinely substantive.

Outlook

The SCHUFA reforms represent a significant (if not welcome) shift in the European credit scoring landscape, but they are unlikely to be the final word. The CJEU's interpretation of Article 22 GDPR applies across all Member States and supervisory authorities throughout the EU are expected to scrutinise credit reference agencies and the financial institutions that rely on their scores with increasing rigour. Firms should anticipate that other major CRAs operating in the EU will face pressure to adopt comparable transparency measures, and that national data protection authorities may issue further guidance on the permissible scope and methodology of automated credit scoring. The European Data Protection Board may also seek to harmonise supervisory approaches, particularly as cross-border data flows and pan-European credit products become more prevalent.

For regulated firms, the reforms underscore the importance of treating GDPR compliance in credit decisioning not as a one-off exercise but as an ongoing obligation requiring regular review. As algorithmic transparency becomes the expected standard, firms that proactively align their processes, documentation and customer communications with the principles established by the CJEU will be better positioned to manage regulatory risk and maintain consumer trust. Those that delay may find themselves responding reactively to enforcement action or reputational challenges. Firms are encouraged to engage with their supervisory authorities, monitor developments at both EU and national levels and ensure that their governance frameworks are sufficiently agile to accommodate further regulatory evolution in this space.

About us

PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators.  

Moreover, we have developed a number of RegTech and SupTech tools for supervised firms, including PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 2,500 legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business. 

Equally, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.   

The PwC Legal Team behind Rule Scanner are proud recipients of ALM Law.com’s coveted “2024 Disruptive Technology of the Year Award” and the “2025 Regulatory, Governance and Compliance Technology Award in 2025”.  

If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via de_regcore@pwc.com or our website.