GE HES DP Credit Reporting Agencies


On Jun. 3, GE HES DP approved new code of conduct for said agencies.


  • GE HES DP approved a new code of conduct for credit reporting agencies.
  • Rules of conduct for association Die Wirtschaftsauskunftseien were revised after 6 years because GE HES DP objected to the existing code rule on Oct. 23, 2023.
  • Key Aspects
  • Rules contradicted several resolutions passed in meantime by Conference of Data Protection Commissioners, EDPB and had to be adapted to ECJ ruling of Dec. 7, 2023.
  • ECJ had classified individual regulations as contrary to EU law, but at the same time did not object to the basic business model of the credit reporting agencies.
  • New code only concerns review, storage periods of legally stored personal data by GE credit agencies, do not replace GDPR rules, rather specify special requirements for credit agencies that can be derived from them for sub-area of review, storage periods.
  • Thus, it does not contain any regulations on question of whether storage of certain data is justified, leaves rights of data subjects and powers of supervisor unaffected.
  • The code no longer has storage regs for positive data, account data misuse criticized by DSK, restricts storage of contract data to contractual relationships per Banking Act.
  • E.g. to information on trouble-free contracts for current accounts and credit cards.
  • Specifies regulated storage by providing definitions in glossary, referring to legal rules.
  • For example, address data and money laundering data not stored for credit scoring.
  • Specifies storage periods in terms of start and end, sets end date for address data.
  • Shortens deadlines for subsequently settled claims, for all insolvency data and for data on residual debt relief and the claims underlying it.
  • Assessment Procedure
  • As part of association hearing, 5 associations representing the banking industry and consumers took a controversial stance on the draft code of conduct.
  • In addition to GE HES DP, supervisory authorities from Baden-Württemberg, Bavaria and North Rhine-Westphalia took part in the negotiations with the association.
  • Before approving the code GE HES DP also informed the DSK, its members, who oversee non-public sector, unanimously agreed on May 14, 2024 to approval of code.
  • Effectiveness
  • Two obligations of the code only apply from Oct. 1, 2024, one from Jan. 1, 2025.
  • New obligations limit storage and review periods, purposes of data storage and scope of application or subject matter; to implement, credit agencies must make extensive technical and organizational adjustments, which take a corresponding amount of time.
  • To avoid legal uncertainty during this period, the relevant provisions of the previous code of conduct will continue to apply until the new regulations come into force.

Regulators GE HES DP
Entity Types CRB
Reference PR 6/3/2024; GDPR Reg 2016/679
Functions Compliance; Legal; Operations; Privacy; Record Retention; Technology
Countries Germany
Category
State
Products Corporate
Regions EMEA
Rule Type Final
Rule Date 6/3/2024
Effective Date 10/1/2024
Rule Id 214424
Linked to N/A
Reg. Last Update 6/3/2024
Report Section EU

Last substantive update on 06/06/2024