HomeCase Law DatabaseGermany, Berlin Commissioner for Data Protection and Freedom of Information, 31 May 2023, Automated Credit Card Issuing

Germany, Berlin Commissioner for Data Protection and Freedom of Information, 31 May 2023, Automated Credit Card Issuing

Case Overview

Share via:

CountryGermany

Deciding BodyData Protection Authority

AreaData Protection

UserPrivate

Case NameAutomated Credit Card Issuing

Authority (English)Berlin Commissioner for Data Protection and Freedom of Information

TechnologyRisk Assessment

ProviderPrivate

Decision Date31 May 2023

Authority (Original)Berliner Beauftragte für Datenschutz und Informationsfreiheit

Grounds for DecisionEU Law

Legal RequirementAccess to Information, Explainability, Transparency

On 31 May 2023, the Berlin Commissioner for Data Protection and Freedom of Information (BfDI) fined a bank €300,000 for failing to adequately inform customers about the criteria used to automatically approve or reject credit card applications.

The bank required customers to provide personal data, occupation, and income information when applying for a credit card. It also used additional data from external sources in these automated decisions. However, when applications were rejected, the bank did not provide specific reasons for these decisions, even when customers requested an explanation.

The Commissioner found this practice to be in violation of Articles 22(3), 5(1)(a), and 15(1)(h) of the EU’s General Data Protection Regulation. It determined that banks must inform customers of the “central reasons” for rejecting credit card applications. This would also include “specific information about the data used, the decision-making factors, and the criteria for rejection in each individual case“.

Access to the full judgment

Full Judgment

Further notes on contested technology

  • → The technology is deployed

Additional resources

EDPB news, https://www.edpb.europa.eu/news/national-news/2023/berlin-sa-imposes-300-000-euro-fine-against-bank-after-lack-transparency_en

Author of the case note

Paul Friedl

Similar cases

Germany, Federal Constitutional Court of Germany, 16 February 2023, 1 BvR 1547/19, 1 BvR 2634/20 – Automated Data Analysis

Country Germany

Deciding Body Higher National Court

Area Data Protection

Decision Date 16 February 2023

EU, Court of Justice of the EU, 6 October 2020, La Quadrature du Net and Others – Joined Cases C-511/18, C-512/18 and C-520/18

Country France

Deciding Body CJEU

Area Data Protection

Decision Date 6 October 2020

EU, Court of Justice of the EU, 26 July 2017, Opinion 1/15

Country EU

Deciding Body CJEU

Area Data Protection

Decision Date 26 July 2017

Italy, Italian Data Protection Authority, 10 June 2021, IT DPA decision no. 9675440, Foodinho

Country Italy

Deciding Body Data Protection Authority

Area Data Protection

Decision Date 10 June 2021
See more cases