Germany’s leading credit bureau, Schufa, is facing scrutiny following reports that it maintains a previously undisclosed database of historical consumer information. While the company recently launched a transparency initiative to clarify its credit scoring methods, investigations by NDR and the Süddeutsche Zeitung suggest that millions of citizens have their past financial data—such as settled loans, foreclosures, and personal insolvencies—stored well beyond standard deletion periods. This discovery has sparked a debate regarding data privacy and the company's adherence to European regulations.
Schufa, which holds records on approximately 69 million individuals, serves as a critical gatekeeper for the German economy. Banks, landlords, and utility providers rely on its credit scores to assess the financial reliability of potential customers. The company maintains that this secondary collection of historical data is not used for standard credit scoring but is instead reserved for internal testing, development, and legal defense purposes. According to Schufa, this practice is contractually limited and serves to ensure the accuracy and reliability of its new, more transparent scoring models introduced in March 2026.
However, privacy advocates and legal experts argue that the existence of this 'shadow database' contradicts the principles of data minimization mandated by the General Data Protection Regulation (GDPR). Critics point out that consumers are generally unaware of this secondary storage, as these historical entries do not appear in the standard data copies that citizens can request under their right to access information. The core of the controversy lies in whether the company has a sufficient legal basis to retain sensitive financial history after the original purpose for that data has expired.
As the situation unfolds, the public and regulators are left to weigh the benefits of robust data testing against the fundamental right to have outdated financial information erased. While Schufa insists its practices are compliant with current laws and coordinated with data protection authorities, the lack of public disclosure regarding this secondary database remains a significant point of contention. Future developments will likely focus on whether supervisory authorities demand stricter limits on how long such historical records can be kept and whether the company must grant consumers full visibility into all stored information.
