A Berlin-based bank has been fined 300,000 euros by the Berlin data protection commissioner. The fine was imposed due to the bank’s lack of transparency regarding the automated rejection of a credit card application.
The bank’s algorithm rejected the customer’s application without providing specific justification. The bank only provided general information about the scoring procedure but refused to explain why the customer was deemed to have poor creditworthiness. The lack of individual case justification prevented the customer from effectively challenging the automated decision.
The decision states that a bank is obligated to inform customers about the main reasons for rejection in automated credit card application decisions.
This includes providing concrete information about the data used, decision-making factors, and rejection criteria in the specific case. The Berlin data protection commissioner found that the bank violated several articles of the GDPR. The fine takes into account the bank’s high turnover and intentional design of the application process and information. The bank’s admission of the violation, implementation of changes to processes, and commitment to further improvements resulted in a reduced fine.
AI Risk, Impact & Ethics Assessment: https://privacy.partners