Update: Please differentiate query (first entry in the screenshot, greyed out) and data forwarding (second entry and what this is really about). This is a common misconception. Their overdraft policy only allows data about the account to be forwarded if there is an actual overdraft set up!
Update 2 (2016-03-03): Because I blogged about the issue, they are now refusing to resolve it or even reply to my inquiries about that matter any further. My bank account data is still listed with SCHUFA and no explanation was given by Number 26 to support their claim that they were allowed to forward this information.
Update 3 (2016-05-31): Number26 again queried my SCHUFA. There has been no explanation and the support representative failed to come back to me why that happened. I have canceled my contract with them effective immediately.
Two weeks ago when finding out that Number 26 MasterCards are storing and revealing information about your transaction history I was yet to discover another privacy issue, that might affect German users even more.
Number 26 will be listed as checking account (“Girokonto”) in your SCHUFA
In Germany, everyone more or less knows what the SCHUFA is. For everyone else, I’ll explain it in a few sentences:
Schufa’s purpose is to protect its clients from credit risks. It also offers protection from insolvency to borrowers. They are doing this by collecting data through their customers (like Number 26) about your contracts and if you failed to pay your debt. Whenever you apply for a loan, mobile phone contract, checking account or credit card, the company will check your SCHUFA (if they are a customer) and deny your request based on the data provided. Too many checking accounts may lead to a denial in your loan or credit card application.
So, where is the problem?
Screenshot of my meineschufa.de with my bank account information forwarded to them.
Number 26 has again violated your privacy by sharing your data with third parties without your consent. I have read their terms of service for overdraft (the only place, where they mention data sharing with SCHUFA) in German and English a couple of times now. The Internet Archive has a snapshot as of the time of this writing, in case Number 26 changes it. You can read the full overdraft terms here.
In a nutshell:
9. Transmission of personal data to SCHUFA
9.1 The Bank transfers personal data of the Customer regarding the establishment, proper execution and termination of the Overdraft Credit Contract to SCHUFA […], for the purposes of credit assessment […]. The Customer hereby releases the Bank from bank secrecy.
9.2 The Customer may obtain information from SCHUFA regarding stored data that pertains to the Customer. […]
9.3 The Customer hereby consents that data relevant to the credit with regard to the application, the receipt ([…]) and settlement ([…]) may be transferred to SCHUFA Holding AG […].
[…] the SCHUFA financial institution will also transfer data regarding its existing receivables due by the Customers. […]
[…] the financial institution shall also transfer data regarding miscellaneous non-contractual behaviour (e. g., fraudulent behaviour) to SCHUFA. […]
In this respect, the Customer simultaneously releases the financial institution from bank secrecy.
So as they stated, they are permitted to do the following once you are granted an overdraft (I applied in December 2015 but did not get it granted):
- Retrieve information about you from SCHUFA (i.e. for the initial application)
- Share with SCHUFA about your overdraft allowance (i.w. amount and date)
- Share should you not pay your debt after they told you to pay it back or otherwise commit fraud
But nowhere it says, that they are allowed to tell SCHUFA about your checking account (including account number) if there is no overdraft set up for your account.
Wait, it (again) gets better:
I have asked the Number 26 support about my entry and told them, that according to their terms of service, they are not allowed to share this information, as long as no overdraft was set up. Their response leaves me puzzled:
ich habe jetzt Rückinfo erhalten. Der Fehler lag nicht bei uns laut Schufa AG. Die Eintragungen des Girokontos von NUMBER26 werden zur Zeit bearbeitet und wieder raus genommen, der Vorgang wird allerdings etwas Zeit beanspruchen.
I got a response now. The error was not with us according to Schufa AG. The entries of your chekings account at NUMBER 26 are being worked on at the moment and will be taken out again, this process will take a while.
No, I didn’t ask why the SCHUFA is storing this info, that’s their goddamn job. I was asking why Number 26 provided this info to SCHUFA. Who, if not Number 26, told SCHUFA about my account? How can Schufa AG claim it was not the fault of Number 26? They must be joking. And even if someone else told SCHUFA about that account, how did they know?
Do they even care?
It seems to me that Number 26 does not care about their customers. This is the third blog post in a month about their product. They go through big effort pushing their product and growing their userbase, but they are forgetting the most crucial things: privacy and security.