GDPR breach: 300.000€ fine against bank after lack of transparency over automated rejection of credit card application

A Berlin based bank offered a credit card on their website. Using an online form, the bank requested various data about the applicant's income, occupation and personal details. Based on the information requested and additional data from external sources, the bank's algorithm rejected the customer's application without any particular justification. The algorithm is based on criteria and rules previously defined by the bank. Since the client had a good credit rating and a regular high income, he doubted the automated rejection and complained to the Berlin data protection commissioner. 

Even when asked by the complainant, the bank only provided blanket information about the scoring procedure, detached from the individual case. However, it refused to tell him why it assumed a poor creditworthiness in his case. The complainant was thus unable to understand which data basis and factors formed the basis of the automated rejection and on the basis of which criteria his credit card application had been rejected accordingly. Without this individual case justification, however, it was also not possible for him to meaningfully challenge the automated individual decision.

A bank is obliged to inform its customers about the main reasons for a rejection when making an automated decision on a credit card application. This includes concrete information on the data basis and the decision-making factors as well as the criteria for the rejection in the individual case. The Berlin DPA found that the bank had violated Article 22(3), Article 5(1)(a) and Article 15(1)(h) GDPR in the specific case. In imposing the fine, the Berlin DPA took into account in particular the high turnover of the bank and the intentional design of the application process and the information. Among other things, the fact that the company admitted the violation and had already implemented changes to the processes and announced further improvements was deemed to reduce the fine. (source: edpb.europa.eu/ photo freepik.com)

Comments

Popular posts from this blog

The Delivery Delay Clause in Residential Construction Contracts: Consumer Protection in Cyprus and Europe

Cyprus Family Law: Spouse's claim for contribution in post-marital acquisitions

Two prisoners punished for singing anthems and reading out poems in prison: Violation of the freedom of expression

The civil courts did not violate the right of access to a court by refusing a document which had not been submitted in accordance with the Code of Civil Procedure

The struggle for truth against time and limitation period in the light of two paternity court cases

Consumer credit agreements: In the event of failure to comply with the obligation to provide information, a bank may be deprived of its right to interest

ECtHR Judgement against Greece: Disclosure of the identities and medical data of prostitutes diagnosed with HIV was a breach of their right to private life