German court permits telecoms to share customer data with SCHUFA for fraud

Germany's highest civil court upheld the dismissal of a consumer protection lawsuit seeking to ban telecommunications companies from sharing customer contract information with SCHUFA Holding AG, the country's dominant credit bureau. The Federal Court of Justice delivered its judgment on October 14, 2025, determining that data transmission serves legitimate fraud prevention interests under European privacy regulations.

The ruling addressed a narrow but commercially significant question: whether mobile network operators can lawfully share basic subscriber information with credit reporting agencies without explicit customer consent. According to the November 12, 2025 press release from the Federal Court of Justice, the VI Civil Senate confirmed lower court decisions rejecting the consumer association's injunction action.

The telecommunications defendant had transmitted master data necessary for identity comparison—including names and address information—alongside notifications when postpaid mobile phone contracts were established or terminated. This practice continued until October 2023, when the company modified its data sharing procedures. The consumer association argued such transmissions violated data protection principles by processing positive data—information reflecting normal contractual relationships rather than payment defaults or contract violations.

The court applied Article 6(1)(f) of the General Data Protection Regulation, which permits processing when necessary for legitimate interests pursued by controllers or third parties. Fraud prevention qualified as such an interest. The Düsseldorf Higher Regional Court had documented specific fraud patterns justifying the data transmission: customers deceiving about their identities and concluding inexplicable numbers of mobile phone contracts with different providers within short timeframes, particularly to obtain expensive smartphones bundled with contract agreements.

Postpaid mobile contracts create substantial fraud exposure for telecommunications providers. Customers receive devices worth hundreds or thousands of euros upfront while committing to monthly payment obligations extending 24 months or longer. Fraudsters exploit this structure by establishing multiple contracts using false identities, acquiring premium devices, then abandoning payment responsibilities. The devices enter secondary markets while telecommunications companies absorb losses.

The Senate determined that consumer interests in preventing basic data transmission to SCHUFA do not outweigh the defendant's fraud prevention interest. This balancing assessment represents the core requirement under GDPR Article 6(1)(f), which explicitly acknowledges that legitimate interests may justify processing unless "overridden by the interests or fundamental rights and freedoms of the data subject."

The decision distinguished between data transmission for fraud prevention and subsequent SCHUFA processing for creditworthiness scoring. For procedural reasons, the Senate did not address how SCHUFA processes the positive data after receipt, including whether and how such information influences credit scores that affect consumer access to financial products, housing, and services.

This limitation matters significantly for the digital marketing ecosystem. Austrian authorities ruled in September 2025 that credit agency KSV1870 unlawfully employed fully automated scoring under GDPR Article 22 prohibitions against automated individual decision-making. The Austrian Data Protection Authority determined that algorithmic scoring systems designed for third-party automated contract evaluation violate privacy regulations when they substantially influence whether businesses establish customer relationships.

The European Court of Justice established in December 2023 that automated credit scoring constitutes prohibited decision-making under Article 22 GDPR when results significantly impact third-party contract decisions. That precedent, delivered in Case C-634/21 involving SCHUFA specifically, creates potential tension with the German Federal Court's October ruling. The German court addressed only whether initial data transmission violates privacy law, not whether subsequent algorithmic processing meets GDPR requirements.

The Düsseldorf Regional Court initially dismissed the action on March 6, 2024. The Higher Regional Court affirmed that decision on October 31, 2024. Both lower courts concluded that the consumer association's application was too broadly worded because it covered conduct that is not objectionable under data protection law alongside potentially problematic practices.

SCHUFA maintains 943 million records on 67.9 million individuals and 6 million companies across Germany. The organization processes more than 165 million credit checks annually, including 2.7 million self-checks by consumers reviewing their own data. Telecommunications companies, retail businesses, banks, and other creditors contribute data to SCHUFA's database under reciprocal information-sharing arrangements.

The November 2025 ruling does not resolve broader questions about credit bureau practices under European privacy frameworks. The European Commission proposed major GDPR amendments in November 2025 that would fundamentally alter automated decision-making provisions. Draft amendments would expand permissible automated processing for contract performance regardless of whether human decision-making represents a feasible alternative.

Privacy advocates have documented systematic problems with credit reporting accuracy and transparency. The Federal Consumer Protection Ministry identified high error rates in credit bureau data during a 2009 study. Consumer watchdog Stiftung Warentest found in 2010 that 1% of SCHUFA data contained errors, 8% was outdated, and 28% was incomplete. These quality concerns amplify when combined with algorithmic scoring systems that consumers cannot effectively challenge.

Telecommunications fraud represents a measurable economic problem. Mobile network operators face losses when customers obtain devices through deception then disappear without fulfilling payment obligations. Identity verification systems help mitigate these risks, but fraudsters continuously develop new methods to circumvent protective measures. The Federal Court acknowledged these commercial realities when balancing privacy interests against fraud prevention needs.

The ruling emerged from Germany's specialized data protection jurisprudence. The VI Civil Senate handles legal disputes arising from privacy law, bringing technical expertise to complex balancing assessments required under GDPR. The November 12 press release noted that the Senate's authority extends specifically to evaluating whether data processing meets legitimate interest requirements while respecting fundamental rights.

Data protection activists have warned that expanding credit bureau access creates comprehensive personality profiles that threaten individual autonomy. The Federal Data Protection Commissioner and several regional privacy authorities issued a joint May 2003 statement cautioning that each additional data source contributes to more detailed profiling. That concern predated GDPR implementation but remains relevant as credit bureaus seek new business opportunities in insurance, housing, and employment screening.

Germany has pushed for sweeping GDPR simplification beyond Commission proposals, submitting an October 2025 document requesting immediate amendments including changes to consent hierarchies, information requirements, and access rights. These regulatory reform efforts occur as courts interpret existing privacy provisions, creating uncertainty about how current jurisprudence will apply if the European Commission adopts substantial GDPR modifications.

The telecommunications industry relies heavily on credit information for contract decisions. Postpaid mobile services extend credit to customers through device financing and monthly billing arrangements. Operators assess default risk before establishing contractual relationships, using credit scores to determine deposit requirements, spending limits, and contract approval decisions. SCHUFA data feeds these risk assessment processes across the German telecommunications market.

Marketing technology companies face similar automated decision-making restrictions. Austrian courts mandated greater transparency in automated credit decisions through an August 2025 ruling requiring credit agencies to explain procedures and principles actually applied during automated processing. These transparency obligations extend beyond technical algorithm descriptions to provide practical understanding that enables data subjects to exercise their rights.

The November ruling does not address whether telecommunications companies can share negative payment information or contract violations with credit bureaus. Those transmissions occur under different legal frameworks with distinct privacy implications. Positive data—reflecting normal contractual relationships—creates different balancing considerations than negative payment histories documenting defaults or fraud.

Consumer advocates argue that individuals should control their own data regardless of commercial fraud prevention interests. The rejected lawsuit reflected this position, seeking blanket prohibition on positive data transmission. The Federal Court determined such absolute restrictions are incompatible with GDPR's legitimate interest provisions when processing serves fraud prevention objectives documented through concrete evidence.

Timeline

• October 2023: Telecommunications defendant modifies data sharing procedures with SCHUFA, discontinuing previous positive data transmission practices
• March 6, 2024: Düsseldorf Regional Court dismisses consumer association's injunction action seeking to prohibit positive data transmission to SCHUFA
• October 14, 2025: Federal Court of Justice VI Civil Senate delivers judgment affirming dismissal of consumer association appeal
• October 31, 2024: Düsseldorf Higher Regional Court affirms Regional Court decision rejecting the action
• November 12, 2025: Federal Court of Justice releases press statement explaining the October 14 judgment and legal reasoning
• December 7, 2023: European Court of Justice rules on SCHUFA scoring establishing that automated credit assessments may violate Article 22 GDPR
• September 25, 2025: Austrian Data Protection Authority rules credit scoring unlawful when employed for fully automated decisions
• August 19, 2025: Austrian court mandates transparency in automated credit decisions under GDPR Article 15

Summary

Who: Germany's Federal Court of Justice VI Civil Senate ruled on an appeal by a consumer association against a telecommunications company's data sharing practices with SCHUFA Holding AG, the country's dominant credit bureau maintaining records on 67.9 million individuals.

What: The court upheld dismissal of an injunction action seeking to prohibit transmission of positive data—basic customer master data and contract establishment information—to SCHUFA, determining such processing serves legitimate fraud prevention interests under GDPR Article 6(1)(f) despite privacy concerns raised by consumer advocates.

When: The Federal Court of Justice delivered its judgment on October 14, 2025, with the official press release published November 12, 2025, following lower court decisions in March and October 2024 that initially dismissed the consumer association's lawsuit.

Where: The case originated in Düsseldorf courts before reaching Germany's Federal Court of Justice in Karlsruhe, addressing telecommunications industry practices affecting millions of German mobile phone customers and the broader European data protection framework governing credit reporting.

Why: Telecommunications companies face substantial fraud losses when customers use false identities to obtain expensive smartphones through postpaid mobile contracts then abandon payment obligations, creating legitimate business interests in identity verification systems that the court determined outweigh consumer privacy interests in preventing basic data transmission despite ongoing questions about subsequent algorithmic credit scoring practices.