CJEU SCHUFA vs ICO: Is GDPR Article 22 a ban or a right?

Excerpt — The CJEU classified credit scoring as “automated individual decision‑making” under GDPR Article 22 (SCHUFA, 07/12/2023). The EDPB upholds a “ban with exceptions” reading, while the UK ICO frames it more as a “right” to be invoked. This directly impacts HR, credit and fraud algorithms operated from Luxembourg.

The case

On 7 December 2023, the CJEU issued two “SCHUFA” rulings. In case C‑634/21 (Scoring), the Court held that an automated probability value produced by a credit agency about a person’s ability to meet commitments “constitutes automated individual decision‑making” under Article 22 GDPR “when a third party relies heavily on that value to establish, perform or terminate a contract”. The Court added that such decisions are, in principle, prohibited unless one of Article 22(2)’s three exceptions applies and adequate safeguards are in place. Official references: CJEU press release and the SCHUFA Scoring judgment of 07/12/2023. See CJEU, PR 186/23; Curia, C‑634/21 SCHUFA Holding (Scoring). curia.europa.eu

In Luxembourg, CNPD reproduces Article 22 GDPR as such: data subjects “have the right not to be subject to a decision based solely on automated processing […] producing legal effects concerning them or similarly significantly affecting them.” Exceptions: contractual necessity, specific legal basis, or explicit consent, with the right to human intervention, to express a viewpoint and to challenge (Art. 22(3) and 22(4)). See CNPD — Chapter III, Article 22. cnpd.public.lu. For a practical overview, consult the GDPR framework and our page on CNPD compliance in Luxembourg.

Legal reasoning

Legal basis and structure of Article 22

• Article 22(1) enshrines, in its wording, “the right not to be subject” to a solely automated decision with legal or similarly significant effects.
• Article 22(2) provides narrow exceptions: a) necessary for a contract; b) authorized by EU or Member State law with appropriate safeguards; c) based on explicit consent.
• Article 22(3) requires minimum safeguards: human intervention, an opportunity to express a view, and a right to contest.
• Article 22(4) restricts use of special categories of data (Art. 9(1)) except under 9(2)(a) or (g) with safeguards. CNPD text (official GDPR). cnpd.public.lu

EDPB position (endorsed guidelines)

The EDPB formally endorsed WP29 Guidelines WP251 rev.01 “Automated individual decision‑making and Profiling” (2018). They read Article 22 as a general prohibition of “solely automated” decisions producing legal or similar effects, subject to limited exceptions. They detail what “meaningful” human intervention requires and related DPIA documentation. See EDPB — Endorsed WP29 Guidelines; WP251 rev.01 (pdf). edpb.europa.eu — cnpd.public.lu

CJEU SCHUFA contribution

The Court confirms that an automated score “may” fall under Article 22 when it effectively triggers a third party’s decision (e.g., credit denial). It thus strengthens Article 22’s scope and rejects attempts to relax Article 6(1)(f) via exception 22(2)(b). See CJEU — PR 186/23; Curia extracts. curia.europa.eu

Divergent ICO position (UK, post‑Brexit)

The UK regulator repeatedly presents Article 22 as a “right” for individuals to activate and manage, rather than a general prohibition with exceptions. The ICO states: “Article 22 of the UK GDPR gives individuals the right not to be subject to a decision based solely on automated processing producing legal or similarly significant effects,” focusing on safeguards and a DPIA for high‑risk processing, while clarifying applicability depends on “solely automated” and effects. See: ICO — What does the UK GDPR say about automated decision‑making and profiling?; ICO — What else do we need to consider if Article 22 applies?; ICO — Rights related to automated decision making including profiling. ico.org.uk

In short: the EDPB (and the CJEU) follow a “general prohibition + controlled exceptions” logic requiring genuine, auditable human intervention; the ICO frames Article 22 as an operational right to manage (with DPIA, transparency and redress), making exception‑based or mitigating approaches more practicable in the UK.

What this changes in Luxembourg

• Controllers in Luxembourg must follow the CJEU/EDPB reading:
  • By default, avoid “solely” automated decisions with legal or similarly significant effects (e.g., hiring without human interview, credit/insurance denials based on a score, automatic account freezing by anti‑fraud engines, automated advertiser delisting). If such a decision is “necessary for a contract”, document precisely why full automation is required and why ex‑ante human review is unrealistic. See CNPD — Article 22. cnpd.public.lu
  • If relying on an exception (22(2)a, b or c), implement minimum safeguards (22(3)) and, in practice, a DPIA (Art. 35) with a “meaningful” human review: competent staff with authority to reassess, and access to data, rules and model thresholds. See EDPB — WP251 rev.01. cnpd.public.lu
  • For credit scoring, passing the decision to a third party does not remove Article 22: if that third party “relies heavily” on your score, you fall within scope. Contract and audit recipients’ use of the score. See CJEU — SCHUFA Scoring. infocuria.curia.europa.eu
• Beware of “assisted” AI/ML programs: A mere approval click is not enough. “Human intervention” requires effective, informed and challengeable control over the decision. Log the review (who, when, what) and define re‑decision criteria. This is the EDPB/WP29 line, endorsed by the CJEU. cnpd.public.lu. To operationalize controls, consider our AI compliance and governance service.
• Enhanced transparency: Articles 13/14 and 15(1)(h) require explaining the existence of ADM, the underlying logic, significance and consequences. CNPD’s pages reflect these duties. Prepare model‑specific explanation sheets (key features, thresholds, error rates). See CNPD — Rights and ADM. cnpd.public.lu

Common pitfalls

1. Assuming a “human click” negates automation. If the intervention is cosmetic, the algorithm remains the decision‑maker under Article 22. Describe the human’s ability to overturn recommendations and measure the share of decisions actually changed. See EDPB — WP251 rev.01. cnpd.public.lu
2. Outsourcing the score to “escape” GDPR. SCHUFA rejects this: if a third party heavily relies on your score, Article 22 still applies; accountability may be shared (joint controllership, recipient). infocuria.curia.europa.eu
3. Invoking “contractual necessity” too readily. It must be demonstrated, not merely “practical”. Ask: is random or targeted human review technically and economically feasible? If yes, the exception is weak. See CNPD text; EDPB — Endorsed guidelines. edpb.europa.eu
4. Forgetting the special‑category data restriction (Art. 22(4)). Health scoring or indirect inference of disability through proxies requires 9(2)(a) or (g) and safeguards. Systematically check for sensitive proxies among features. See CNPD — Article 22. cnpd.public.lu
5. Copy‑pasting ICO doctrine. Helpful for explainability engineering, but not directly transplantable: in Luxembourg, follow CJEU/EDPB. Refer to EU sources and CNPD pages. See ICO; EDPB. ico.org.uk

Official sources

• CJEU — Press release No 186/23 (7 Dec 2023): SCHUFA (C‑634/21; C‑26/22 and C‑64/22). curia.europa.eu
• Curia — C‑634/21, SCHUFA Holding (Scoring): analysis of Article 22 GDPR and scoring. infocuria.curia.europa.eu
• EDPB — Endorsed WP29 Guidelines: WP251 rev.01 (Automated decision‑making and Profiling). edpb.europa.eu
• WP251 rev.01 text (hosted by CNPD). cnpd.public.lu
• CNPD — GDPR, Chapter III, Art. 22 (FR/EN). cnpd.public.lu
• CNPD — Thematic AI file. cnpd.public.lu
• ICO — What does the UK GDPR say about automated decision-making and profiling? ico.org.uk
• ICO — What else do we need to consider if Article 22 applies? cy.ico.org.uk

Note for leadership: as of 25 June 2026, the applicable law in Luxembourg is the GDPR as interpreted by the CJEU and EDPB‑endorsed guidelines. The ICO’s more “flexible” reading can inform technical implementation (explainability, DPIA) but does not alter EU obligations. For structured support, our DPO mandate can assist your compliance journey.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.