On 31 May 2023, the Berlin Commissioner for Data Protection and Freedom of Information (BfDI) fined a bank €300,000 for failing to adequately inform customers about the criteria used to automatically approve or reject credit card applications.
The bank required customers to provide personal data, occupation, and income information when applying for a credit card. It also used additional data from external sources in these automated decisions. However, when applications were rejected, the bank did not provide specific reasons for these decisions, even when customers requested an explanation.
The Commissioner found this practice to be in violation of Articles 22(3), 5(1)(a), and 15(1)(h) of the EU’s General Data Protection Regulation. It determined that banks must inform customers of the “central reasons” for rejecting credit card applications. This would also include “specific information about the data used, the decision-making factors, and the criteria for rejection in each individual case“.
Access to the full judgment
Further notes on contested technology
- → The technology is deployed
Additional resources
Author of the case note
