The Berlin data protection authority (Berlin Commissioner) announced, on May 31, 2023, that it had issued a fine of €300,000 on a bank, for violations of Article 5(1)(a), 15(1)(h), and 22(3) of the General Data Protection Regulation (GDPR), following an investigation by the Berlin Commissioner.

Background to the decision

In particular, the complaint concerned a customer's application for a credit card, whereby the bank's algorithm rejected the customer's application without any specific justification provided to the same. In this regard, the bank only provided the customer with general information on the scoring process in connection with their application when asked, and fell short of providing any specific information with regard to the customer's application. Therefore, it was not possible for the customer to challenge the automated decision made by the bank, which prompted the complaint made to the Berlin Commissioner.

Findings of the Berlin Commissioner

The Berlin Commissioner found that the bank's failure to provide transparent and comprehensible information about the automated decision rejecting the customer's application when requested warranted the aforementioned fine. Accordingly, the Berlin Commissioner explained that a bank is required to inform customers of the main reasons behind a decision made by automated means about a credit card application, which should include specific information on the data, the decision-making factors, as well as the criteria for rejection in individual cases.

Outcomes

In light of its investigation, the Berlin Commissioner fined the bank €300,000 for its violation of the abovementioned articles of the GDPR.

You can read the press release, only available in German, here, and the European Data Protection Board summary here.