Violations of the General Data Protection Regulation (GDPR) can be expensive. This was something a direct bank had to learn, as it now has to pay a fine of 300,000 euros.
The General Data Protection Regulation – GDPR for short – is not a paper tiger without teeth. More and more companies are learning that they are being fined for violations of the GDPR. Authorities are obliged to impose fines that are substantial, according to the law firm MTR Legal Rechtsanwälte, which advises among others on IT law and data protection.
In this case, the Berlin Commissioner for Data Protection and Freedom of Information (BInBDI) imposed a fine on a bank for lack of transparency in automated decisions. These are decisions made by an IT system based on algorithms without human intervention. The GDPR stipulates specific transparency obligations for such mechanisms, which the bank did not comply with.
Specifically, it involved a loan application processed by the bank based on algorithms. The applicant was required to provide information about their profession, income, and personal details, among others. The algorithm made an automated decision based on these and other data and rejected the application without further explanation. The customer was surprised by the rejection, as he had a regular high income and a good credit score. He therefore inquired with the bank why the application was rejected.
However, the bank only provided general information about the scoring procedure, without addressing the specific case. The customer was therefore unable to understand on what data and factors his creditworthiness was poorly evaluated and the application rejected. His complaint to the Berlin data protection commissioner was successful, however.
In the case of automated decisions, companies are obliged to substantiate and justify these clearly and understandably. The bank should have informed about the essential reasons for the rejection. However, it did not do so transparently and understandably even upon request. According to the data protection commissioner, this violated Art. 22 (3), Art. 5 (1) lit. a, and Art. 15 (1) lit. h GDPR.
MTR Legal Rechtsanwälte advise on issues of IT law and data protection.
Get in touch with us!➤ Lawyer IT law – learn more now!
