Violations of the General Data Protection Regulation (GDPR) can be costly. This is something that a direct bank had to learn, as it now has to pay a fine of 300,000 euros.
The General Data Protection Regulation – or GDPR – is not a toothless paper tiger. This is something more and more companies are discovering, as they are being fined for violations of the GDPR. Authorities are obliged to impose penalties that are substantial, according to the law firm MTR Legal Rechtsanwälte, which also advises on IT law and data protection.
In the present case, the Berlin Commissioner for Data Protection and Freedom of Information (BInBDI) imposed a fine on a bank due to a lack of transparency in automated decisions. These are decisions made by an IT system based on algorithms without human intervention. Under the GDPR, specific transparency obligations apply to such mechanisms, which the bank failed to comply with.
Specifically, the issue was a loan application processed by the bank based on algorithms. The applicant had to provide information about occupation, income, and personal details. The algorithm made an automated decision based on this and other data, rejecting the application without further explanation. The customer was surprised by the rejection, as he had a regular high income and a good Schufa score. Therefore, he inquired with the bank about the reason for the rejection.
However, the bank provided only general information about the scoring method, without addressing the specific case. Thus, the customer could not understand on what basis his creditworthiness had been rated poorly and the application rejected. His complaint to the Berlin Data Protection Commissioner was successful.
In the case of automated decisions, companies are required to provide a substantial and comprehensible rationale. The bank should have informed about the significant reasons for the rejection. However, it did not do so transparently and understandably, even upon request. Therefore, according to the Data Protection Commissioner, it violated Art. 22 Para. 3, Art. 5 Para. 1 lit. a, and Art. 15 Para. 1 lit. h of the GDPR.
MTR Legal Rechtsanwälte advise on matters of IT law and data protection.
Contact us! ➤ Lawyer IT law – learn more now!➤ Anwalt IT-Recht – jetzt mehr erfahren!
