Germany, Berlin Commissioner for Data Protection and Freedom of Information, 31 May 2023, Automated Credit Card Issuing

Case Overview

Share via:

CountryGermany

Deciding BodyData Protection Authority

AreaData Protection

UserPrivate

Case NameAutomated Credit Card Issuing

Authority (English)Berlin Commissioner for Data Protection and Freedom of Information

TechnologyRisk Assessment

ProviderPrivate

Decision Date31 May 2023

Authority (Original)Berliner Beauftragte für Datenschutz und Informationsfreiheit

Grounds for DecisionEU Law

Legal RequirementAccess to Information, Explainability, Transparency

On 31 May 2023, the Berlin Commissioner for Data Protection and Freedom of Information (BfDI) fined a bank €300,000 for failing to adequately inform customers about the criteria used to automatically approve or reject credit card applications.

The bank required customers to provide personal data, occupation, and income information when applying for a credit card. It also used additional data from external sources in these automated decisions. However, when applications were rejected, the bank did not provide specific reasons for these decisions, even when customers requested an explanation.

The Commissioner found this practice to be in violation of Articles 22(3), 5(1)(a), and 15(1)(h) of the EU’s General Data Protection Regulation. It determined that banks must inform customers of the “central reasons” for rejecting credit card applications. This would also include “specific information about the data used, the decision-making factors, and the criteria for rejection in each individual case“.

Access to the full judgment

Further notes on contested technology

  • → The technology is deployed

Author of the case note

Paul Friedl