Federal Court of Justice strengthens credit risk management with landmark data retention ruling

Across Europe, the retention of personal data by credit agencies has been a growing fault line. Businesses have found themselves caught between competing imperatives: strict data protection obligations under the GDPR on the one hand, and the practical need to assess credit risk on the other. Recent case law has only heightened this tension, creating real uncertainty about how long payment default data may be lawfully retained.

A landmark ruling of the German Federal Court of Justice (FCJ) on 18 December 2025 (I ZR 97/25) brings welcome clarity. The decision confirms that payment default data reported by private businesses to credit agencies may be retained for longer than comparable data sources from public registers. For private credit agencies – and the many data-driven businesses that rely on them – this marks an important recalibration of the balance between data protection and effective risk management.

The case concerned personal data on payment defaults reported by businesses and held by Schufa, a major German credit agency. At its core was a fundamental question: must payment default data reported by private creditors be deleted according to the same strict timelines that apply to data sourced from a public register? The FCJ’s answer was clear. Retention periods for privately reported data are independent from those governing public register data, allowing for longer retention periods.

Ensuring effective risk management through reasonable data retention

In its assessment, the FCJ weighed debtors’ right to privacy against the interests of Schufa and businesses that rely on its credit risk assessments. Central to this balancing exercise was the distinct purpose served by payment default data reported by debtors’ contractual partners, as compared with entries in public registers. The court emphasised that payment default data enables risk‑sensitive and responsible lending decisions.

First, the FCJ noted that information contained in public insolvency registers, particularly relating to the discharge of residual debt, is designed to provide debtors with a “financial new start”. This aligns with the case law of the Court of Justice of the European Union (CJEU) which has previously held that retaining such data beyond the official public-register retention period would undermine that objective (C‑26/22, C‑64/22, SCHUFA Holding).

Second, the FCJ contrasted this purpose with that of payment default data transmitted by private businesses, finding that debtors’ interests are fundamentally different. The FCJ reasoned that the primary purpose of payment default data is not to facilitate a debtor's financial new start, but to enable a wide range of businesses to make informed decisions based on reliable credit risk assessments. This serves a legitimate economic interest in accordance with Art. 6(1)(f) GDPR that is essential for the functioning of the broader market.

Based on this distinction, the FCJ concluded that the strict deletion requirements applicable to data in public registers are not transferable to privately reported payment default data. Instead, credit agencies may retain such data for up to three years following the settlement of the underlying claim. Only in narrow circumstances may the retention period for data regarding settled claims be reduced to 18 months – essentially where the individual risk profile has demonstrably stabilised. This may be the case where (i) no additional payment defaults have been reported, (ii) no entries in public registers have been made, and (iii) the claim was settled within 100 days of being reported. Finally, the FCJ also found that, in exceptional circumstances, which must be demonstrated by the respective debtor, the retention period may be even shorter.

Why this ruling matters: Creating a balanced data protection regime

The FCJ’s ruling provides a counterweight to some recent, more consumer-friendly judgments in German data privacy litigation: Previously, the FCJ’s VI. Senate had lowered the bar for claiming non-material damages under Art. 82 GDPR, imposing demanding requirements for consent and paying little attention to alternative legal bases under Art. 6(1) GDPR – such as performance of a contract or legitimate interests. This stance has attracted considerable criticism, sits uneasily with recent CJEU case law and amplified litigation risks for companies handling personal data.

Due to a recent change in the internal allocation of cases, the FCJ’s I. Senate has assumed jurisdiction over data protection cases from the VI. Senate. This shift matters for businesses because it may recalibrate the balance between data protection and economic reality at the highest judicial level. How consistently the I. Senate will build on the previous case law, and which new impulses it will set, remains to be seen.

Early indications are grounds for optimism: The I. Senate’s ruling in this case, following the VI. Senate’s so-called “positive data” ruling (VI ZR 431/24), reinforces the importance of "legitimate interests" as a legal basis for data processing under Art. 6(1)(f) GDPR. In that “positive data” case decided by the VI. Senate, the FCJ already affirmed that a telecommunications company could permissibly transfer basic customer contract data (so-called “positive data”) to a credit agency for fraud prevention. This decision builds on a coherent, market‑oriented logic, ensuring that data protection principles are not interpreted so broadly as to paralyse essential economic functions like risk management.

Significantly, the FCJ also indicates, obiter dicta, that adherence to an approved industry code of conduct can carry considerable weight when assessing compliance and liability under Art. 82 GDPR. In practice this could operate as a strong mitigating factor, even where individual processing steps are challenged.

Clarity and discretion for businesses

Overall, the judgment provides a clear safe harbour. Companies and credit agencies may confidently implement a three-year retention period for privately reported payment default data, while acknowledging that shorter periods may apply (only) in specific, individual circumstances. This resolves the uncertainty where businesses faced a conflict: either retain data for risk management and face GDPR penalties, or delete it prematurely and incur greater losses from payment defaults and fraud. The Higher Regional Courts of Koblenz (2 U 621/25) and Frankfurt (6 U 133/25) have already signalled that they intend to follow the FCJ’s approach to retention of payment default data without reservation.

More broadly, the FCJ implicitly acknowledges a significant degree of entrepreneurial discretion in data management. This discretion is further clarified through the judgment's alignment with codes of conduct approved by regulators such as the Hessian Commissioner for Data Protection, offering a practical framework for its exercise. Building on the established legal principle that there is no general duty to retain data, the FCJ now clarifies the corresponding freedom companies have in determining when to delete it. The FCJ makes clear that statutory retention periods should be interpreted as a flexible range within a broader proportionality assessment, not a fixed deadline. Within this framework, the precise timing of deletion remains a matter of entrepreneurial discretion, provided that the underlying risk‑based rationale is well‑founded and documented.

Takeaways for businesses

By clarifying the distinction between public‑register data and privately reported payment defaults, the FCJ has provided a robust framework for risk‑based data retention. For companies, three strategic implications stand out:

First, data‑driven risk management continues to be treated as a legitimate objective under the GDPR framework. Firms that rely on credit information may, subject to case‑by‑case assessment, calibrate their retention schedules around a three‑year horizon for privately reported defaults and, where appropriate, consider shorter periods – for example down to 18 months – if the narrowly defined conditions are plausibly met and the underlying assessment is carefully documented.

Second, the decision strengthens the role of Art. 6(1)(f) GDPR as a central legal basis in commercial contexts. Where processing is tightly linked to fraud prevention, credit‑worthiness assessment or other core economic functions, businesses should not hesitate to invoke legitimate interests – ideally anchored in sectoral codes of conduct and supported by transparent information to customers.

Third, the ruling underscores that entrepreneurial freedom in data governance remains protected, within the boundaries of proportionality. Statutory retention rules for public registers do not automatically dictate private‑sector deletion timelines. Instead, companies are expected to justify their retention in a way that is consistent, documented and aligned with their risk profile.

Taken together, the FCJ’s ruling signals a more mature phase of European data protection: one in which robust privacy safeguards and sophisticated risk management are understood as complementary, not contradictory. Businesses that use this moment to refresh their retention policies and governance structures will be better positioned – both commercially and in defending themselves against future (mass) claims.