When a bank grants a loan, an online shop sells goods on account, or a company provides services in advance, there is always a risk that the borro­wer, buyer or custo­mer may not fulfil its obli­ga­tion at all, not fully, or not on time. To help credi­tors assess this risk, credit infor­ma­tion agen­cies offer different kinds of services that evaluate the credit­wor­thi­ness of indi­vi­duals seeking credit. These services include credit scores, which are nume­ri­cal evalua­tions of a person’s credit­wor­thi­ness, calcu­la­ted based on an agency’s model.

The proces­sing of perso­nal data for the purpose of evalua­ting a person’s credit­wor­thi­ness – parti­cu­larly, through credit scoring – is an impor­tant and widely discus­sed use case of data protec­tion law. This stems from the conflic­ting inter­ests at stake : Data protec­tion and the protec­tion of perso­na­lity rights, in parti­cu­lar the inter­est in trans­pa­rency and the use of appro­priate infor­ma­tion, contrast with the protec­tion of the credit-provi­ding economy, namely the inter­est in being able to assess credit risks and prevent payment defaults. The resul­ting and often novel data protec­tion issues under Swiss and European law are exami­ned in the disser­ta­tion summa­ri­zed here.

Apart from the intro­duc­tion and the summary in the form of theses, the disser­ta­tion is divi­ded into four parts. Part 1 explains the concept of credit scoring, explores its econo­mic ratio­nale, intro­duces the actors invol­ved, describes its func­tio­ning, and provides an over­view of the data and data sources used. This part is based not only on publi­cly avai­lable infor­ma­tion, but also on the results of a survey conduc­ted among Swiss credit infor­ma­tion agencies.

Part 2 is devo­ted to funda­men­tal ques­tions of data protec­tion law. It clari­fies the mate­rial and terri­to­rial scope of data protec­tion law and the roles of the actors invol­ved (i.e., control­ler or proces­sor). Additionally, it high­lights the funda­men­tal diffe­rences between the approach of the Swiss Federal Act on Data Protection (FADP) and the EU’s General Data Protection Regulation (GDPR).

Part 3 of the thesis addresses the admis­si­bi­lity under data protec­tion law of calcu­la­ting credit scores as (high-risk) profi­ling. After explai­ning the essen­tial concepts of profi­ling, perso­na­lity profile (within the meaning of the old FADP) and high-risk profi­ling (as defi­ned in the FADP), the proces­sing prin­ciples are exami­ned and applied to credit scoring. The compre­hen­sive and in-depth analy­sis of the calcu­la­tion of credit scores as profi­ling in light of the proces­sing prin­ciples forms the core of the disser­ta­tion. Part 3 concludes with a discus­sion of possible grounds for justi­fi­ca­tion under the FADP and the legal basis for profi­ling under the GDPR.

Part 4 of the disser­ta­tion addresses the ques­tion of whether – in light of the CJEU’s deci­sion in the SCHUFA case (judg­ment C‑634/​21 of 7 December 2023) – the calcu­la­tion of credit scores can also be clas­si­fied as an auto­ma­ted deci­sion. After brief preli­mi­nary remarks on termi­no­logy, the purpose of the regu­la­tion on auto­ma­ted deci­sions in data protec­tion law is analy­sed. The thesis then examines the legal crite­ria of an auto­ma­ted deci­sion under the FADP and the GDPR, and concludes by answe­ring the afore­men­tio­ned ques­tion in the negative.

The disser­ta­tion ends with a summary in the form of theses. Among them, the follo­wing appear parti­cu­larly noteworthy :

• Profiling quali­fies as high-risk profi­ling (accor­ding to Art. 5 lit. g FADP) if its input consti­tutes a perso­na­lity profile as defi­ned in the old FADP. The high risk to the data subject’s perso­na­lity or funda­men­tal rights is not an inde­pendent requi­re­ment for high-risk profiling.
• To be suitable for evalua­ting a person’s credit­wor­thi­ness, data must be rele­vant for this purpose, either accor­ding to gene­ral life expe­rience or from a mathe­ma­ti­cal-statis­ti­cal pers­pec­tive. The mere possi­bi­lity of false conclu­sions, for example, those drawn from a person’s address, is irrelevant.
• The period during which a credit infor­ma­tion agency may use data to evaluate a person’s credit­wor­thi­ness must be based on statu­tory time limits, namely the ten-year limi­ta­tion period of Art. 127 Swiss Code of Obligations under the FADP and the (at least) five-year obser­va­tion period of the EU’s Capital Requirements Regulation under the GDPR.
• The prin­ciple of data accu­racy does not prohi­bit the proces­sing of inac­cu­rate data but requires that appro­priate measures be taken to address inac­cu­ra­cies. This also applies to value judg­ments and proba­bi­lity state­ments, such as credit scores.
• 31 para. 2 lit. c FADP provides for a special (over­ri­ding) inter­est that may justify proces­sing acti­vi­ties for the purpose of evalua­ting a person’s credit­wor­thi­ness. This provi­sion, parti­cu­larly its sections 1–4, which exclude high-risk profi­ling and the proces­sing of data older than ten years and data rela­ting to minors, does not esta­blish gene­ral requi­re­ments for proces­sing acti­vi­ties under­ta­ken to assess creditworthiness.
• The credit score is merely the output of a profi­ling. It does not consti­tute a deci­sion (within the meaning of Art. 21 FADP and Art. 22 GDPR), even if a credi­tor draws stron­gly or exclu­si­vely on the credit score in making its credit decision.