GDPR and Credit Rating

The State Commissioner for Data Protection and Freedom of Information in Germany (‘LfDI Baden-Württemberg’) on 5 June 2020, on the basis of GDPR, has issued ‘the Guidance’ on data privacy requirements for Credit Rating Agencies. The guidance has been issued in response to the amount of complaints received by the authority with respect to processing of data by the agencies. The State Commissioner, thus carried out an  examination of the procedure of data collection and processing in accordance of GDPR by the said Credit Rating Agencies. Subsequent to the examination, the authority found that, the agencies had been passing on a limited positive rating to inquiring third parties on the basis of no available data.

The Authority has clarified that, any assessment of valuation of credit of an individual or company should be considered lawful only if it is based upon adequate and accurate standards set upon probability and relevant data. Also, the LfDI Baden-Württemberg has clarified that credit worthiness of any entity was not to be decided on the basis of similarity of data. Furthermore, the authority also abhors the practice of forcing entities to disclose their data against their will with a potential threat of receiving bad ratings.  In conclusion, the authority through the Guidance has shown its vigilance in exercising its supervisory power and curbing unfair practices amongst credit rating agencies.


To avoid any such malpractices it is important for the Credit Rating Agencies and Finance Organisations  to ensure compliance towards data privacy laws to their best standards. Primarily, those organisations which do not have any agreements with their processors need to enter into appropriate agreements with respect to data processing and sharing.  The organisations and agencies which have an agreement need to reassess and verify the same in the light of the GDPR. All the said documentation needs strict adherence to GDPR and Data Protection Act, 2018.

The said organisations and agencies may also carry out a Data Protection Impact Assessment to audit all the relevant activities with respect to data processing and in case if any loopholes are found it needs to be corrected at the earliest in compliance to the GDPR. Any data breach in processing by the finance organisation can be detrimental in terms of fines and also in terms of reputation to the organisation.

We, at Symmetry Compliance provide all the above data privacy related services.

Read here: Taxpayers’ personal data under risk.

Share This Story, Choose Your Platform!