CNIL Credit Data: Navigating French Data Protection Rules for Credit Scoring Under GDPR

Introduction

The French data protection authority, the Commission Nationale de l'Informatique et des Libertés (CNIL), has long been at the forefront of enforcing data privacy rights under the GDPR. In recent years, it has turned its attention to the credit sector, where the use of personal data for creditworthiness assessments—often involving automated decision-making and AI-based scoring—raises significant privacy concerns. Following a public consultation and in light of landmark rulings from the Court of Justice of the European Union (CJEU), the CNIL has published updated recommendations that replace the former AU-005 authorization. These recommendations aim to enhance transparency, control, and fairness in how lenders process applicant data. For lenders operating in France, understanding these requirements is critical to avoid penalties and maintain consumer trust. This article analyzes the key provisions of the CNIL's guidance, compares them with GDPR principles and EBA guidelines, and offers practical steps for compliance.

Regulatory Context: CNIL's Role and the Need for Transparency

The CNIL is the independent regulatory body responsible for enforcing data protection laws in France. Its recommendations on credit data apply to private lenders and intermediaries offering consumer and mortgage credit under the French Consumer Code. The guidance was shaped by CJEU rulings (C-634/21 and C-203/22), which confirmed that credit scoring constitutes an automated decision when it is determinative—meaning it directly leads to a credit approval or rejection. This classification triggers GDPR Article 22, which grants individuals the right not to be subject to a decision based solely on automated processing that produces legal effects. The CNIL's updated recommendations replace the earlier AU-005 authorization and provide a compliance checklist for lenders. The core message is clear: lenders must be transparent about how they use personal data, including scoring methodologies and the role of past payment incidents.

Key Requirements Under the CNIL Guidance

Obtaining Explicit Consent and Data Minimization

The CNIL emphasizes that lenders must obtain explicit consent from applicants before processing their personal data for creditworthiness assessment. Consent must be freely given, specific, informed, and unambiguous. Importantly, the guidance limits data collection to what is strictly necessary for the assessment. For example, lenders may process income, employment status, and existing debt levels, but should avoid excessive data points such as social media activity or health data unless directly relevant. Applicants must also be allowed to mask non-essential information—such as their social security number—on documents while preserving the document's authenticity features. This aligns with GDPR's data minimization principle (Article 5(1)(c)).

Right to Access and Erasure

Applicants have the right to access their personal data held by lenders and to understand how it is used in the scoring process. The CNIL requires lenders to provide clear, accessible explanations of the logic involved in automated decisions, including the weight given to different factors. If an applicant requests erasure, lenders must delete data that is no longer necessary for the original purpose, subject to legal retention obligations. This reinforces GDPR's right to erasure (Article 17).

Transparency About Automated Decision-Making

For fully automated credit decisions, the CNIL mandates transparency, human intervention, and explainability. Lenders must communicate the credit score and its meaning to the applicant. If the decision is negative, the lender must explain the reasons and allow the applicant to contest the decision. This aligns with GDPR Article 22 and the broader EU push for trustworthy AI. The use of past repayment incidents is permitted but must be objective, up-to-date, and transparently disclosed.

Comparison with GDPR Principles and EBA Guidelines

The CNIL's recommendations are firmly rooted in GDPR principles, including lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and accountability. They also intersect with the European Banking Authority's (EBA) guidelines on the definition of default. The EBA has amended its Guidelines on the definition of default, which are critical for credit risk management and capital requirements under the Capital Requirements Regulation (CRR). Lenders must ensure that their credit scoring models align with the EBA's definition—for instance, treating a borrower as defaulted after 90 days past due. The CNIL's guidance adds a data protection layer: even if a past incident is technically a default under EBA rules, its use in scoring must be transparent and proportionate. Lenders should also be aware of the EBA's consultation on amendments to the regulatory technical standards (RTS) on risk weights for specialised lending exposures, which may affect capital calculations. While the CNIL and EBA frameworks serve different purposes, they must be applied coherently to avoid compliance gaps.

Practical Steps for Lenders

Update Privacy Notices

Lenders should revise their privacy notices to clearly describe: the categories of data collected, the purposes of processing (including scoring), the legal basis (consent or legitimate interest), the existence of automated decision-making, and the rights of data subjects. Notices must be concise, transparent, and easily accessible.

Conduct Data Protection Impact Assessments (DPIAs)

Under GDPR Article 35, a DPIA is required for processing that is likely to result in high risk to individuals' rights and freedoms—which includes automated credit scoring. Lenders should document the nature, scope, context, and purposes of processing; assess necessity and proportionality; identify and mitigate risks; and involve the data protection officer (DPO).

Implement Data Retention Policies

The CNIL guidance defines specific retention periods for credit data. For example, positive credit data (e.g., on-time payments) may be retained for the duration of the contract plus a limited period afterward. Negative data (e.g., defaults) should be deleted once the debt is settled or after a statutory period. Lenders must establish clear policies and automate deletion where possible.

Ensure Fairness in AI-Based Credit Scoring

When using AI models, lenders must ensure they are fair, non-discriminatory, and explainable. This involves testing for bias against protected characteristics (e.g., ethnicity, gender), using representative training data, and implementing human oversight for high-risk decisions. The CNIL recommends that lenders provide applicants with the ability to contest automated decisions and request human review.

Key Takeaways

• Explicit consent is required for processing credit data; data collection must be minimized to what is strictly necessary.
• Transparency is paramount: lenders must explain scoring logic, communicate scores, and allow applicants to contest decisions.
• Automated decisions require human intervention and explainability, in line with GDPR Article 22 and CJEU rulings.
• Data retention periods must be defined and enforced; applicants have the right to erasure of unnecessary data.
• DPIAs are mandatory for high-risk processing such as AI-based credit scoring.
• EBA guidelines on default definition must be integrated with data protection requirements.

Conclusion

The CNIL's recommendations represent a significant step toward aligning credit scoring practices with GDPR and emerging AI governance standards. Lenders must act now to update their policies, conduct DPIAs, and ensure transparency in automated decisions. To streamline multi-domain compliance—spanning data protection, credit regulation, and AML—consider using AIGovHub for integrated regulatory tracking and compliance tools. Additionally, for AML and fraud risk integration, RisksRadarAI offers cross-domain risk intelligence that can complement your credit compliance framework. This content is for informational purposes only and does not constitute legal advice.