GDPR breach: 300.000€ fine against bank after lack of transparency over automated rejection of credit card application
Even when asked by the complainant, the bank only provided blanket information about the scoring procedure, detached from the individual case. However, it refused to tell him why it assumed a poor creditworthiness in his case. The complainant was thus unable to understand which data basis and factors formed the basis of the automated rejection and on the basis of which criteria his credit card application had been rejected accordingly. Without this individual case justification, however, it was also not possible for him to meaningfully challenge the automated individual decision.
A bank is obliged to inform its customers about the main reasons for a rejection when making an automated decision on a credit card application. This includes concrete information on the data basis and the decision-making factors as well as the criteria for the rejection in the individual case. The Berlin DPA found that the bank had violated Article 22(3), Article 5(1)(a) and Article 15(1)(h) GDPR in the specific case. In imposing the fine, the Berlin DPA took into account in particular the high turnover of the bank and the intentional design of the application process and the information. Among other things, the fact that the company admitted the violation and had already implemented changes to the processes and announced further improvements was deemed to reduce the fine. (source: edpb.europa.eu/ photo freepik.com)