GDPR breach: 300.000€ fine against bank after lack of transparency over automated rejection of credit card application

A Berlin based bank offered a credit card on their website. Using an online form, the bank requested various data about the applicant's income, occupation and personal details. Based on the information requested and additional data from external sources, the bank's algorithm rejected the customer's application without any particular justification. The algorithm is based on criteria and rules previously defined by the bank. Since the client had a good credit rating and a regular high income, he doubted the automated rejection and complained to the Berlin data protection commissioner. 

Even when asked by the complainant, the bank only provided blanket information about the scoring procedure, detached from the individual case. However, it refused to tell him why it assumed a poor creditworthiness in his case. The complainant was thus unable to understand which data basis and factors formed the basis of the automated rejection and on the basis of which criteria his credit card application had been rejected accordingly. Without this individual case justification, however, it was also not possible for him to meaningfully challenge the automated individual decision.

A bank is obliged to inform its customers about the main reasons for a rejection when making an automated decision on a credit card application. This includes concrete information on the data basis and the decision-making factors as well as the criteria for the rejection in the individual case. The Berlin DPA found that the bank had violated Article 22(3), Article 5(1)(a) and Article 15(1)(h) GDPR in the specific case. In imposing the fine, the Berlin DPA took into account in particular the high turnover of the bank and the intentional design of the application process and the information. Among other things, the fact that the company admitted the violation and had already implemented changes to the processes and announced further improvements was deemed to reduce the fine. (source: photo


Top Stories

Accidents on board an aircraft: The strict liability of airlines under the Montreal convention extends to inadequate first aid administered on board an aircraft

The length of court proceedings for 7 years and 8 months violated the right to a fair hearing within a reasonable time (ECtHR)

TikTok processing of children’s data: Dispute's settlement by European Data Protection Board

Promotion of judges after evaluation by other judges: Substantive conditions and procedural rules must be such as to dispel any reasonable doubt as to the independence and the impartiality

Timeshare contracts: Applicable law in the absence of a choice made by the parties (ECJ)