GDPR breach: 300.000€ fine against bank after lack of transparency over automated rejection of credit card application

A Berlin based bank offered a credit card on their website. Using an online form, the bank requested various data about the applicant's income, occupation and personal details. Based on the information requested and additional data from external sources, the bank's algorithm rejected the customer's application without any particular justification. The algorithm is based on criteria and rules previously defined by the bank. Since the client had a good credit rating and a regular high income, he doubted the automated rejection and complained to the Berlin data protection commissioner. 

Even when asked by the complainant, the bank only provided blanket information about the scoring procedure, detached from the individual case. However, it refused to tell him why it assumed a poor creditworthiness in his case. The complainant was thus unable to understand which data basis and factors formed the basis of the automated rejection and on the basis of which criteria his credit card application had been rejected accordingly. Without this individual case justification, however, it was also not possible for him to meaningfully challenge the automated individual decision.

A bank is obliged to inform its customers about the main reasons for a rejection when making an automated decision on a credit card application. This includes concrete information on the data basis and the decision-making factors as well as the criteria for the rejection in the individual case. The Berlin DPA found that the bank had violated Article 22(3), Article 5(1)(a) and Article 15(1)(h) GDPR in the specific case. In imposing the fine, the Berlin DPA took into account in particular the high turnover of the bank and the intentional design of the application process and the information. Among other things, the fact that the company admitted the violation and had already implemented changes to the processes and announced further improvements was deemed to reduce the fine. (source: edpb.europa.eu/ photo freepik.com)

Comments

Editorial

Editorial
George Kazoleas, Lawyer

Top Stories

Ombudsman inquiry on Commission President’s text messages is a wake-up call for EU

Gigantic fine for unfair practices imposed on Booking.com by the Competition Authority of Hungary

The name Pablo Escobar may not be registered as an EU trade mark

First judgment of the ECHR: Lawless v. Ireland

Politically Exposed Persons (PEPs): What and Why?

Airbnb is not required to hold an estate agent’s professional licence as it did not notify the Commission of that requirement in accordance with the Directive on electronic commerce

McDonald’s loses the EU trade mark Big Mac in respect of poultry products