Berlin Bank Fined €300,000 for GDPR Violation in Automated Credit Card Rejection

A Berlin-based bank has been issued a substantial fine of 300,000 euros by the Berlin Data Protection Authority (DPA) for violating the General Data Protection Regulation (GDPR). The penalty stems from the bank’s opaque practices surrounding the automated rejection of a customer’s credit card application.

The case originated when a customer, possessing a strong credit history and a high, regular income, applied for a credit card online through the bank’s website. The application process involved an online form collecting income, occupation, and personal details. Utilizing this information, alongside data from external sources, the bank’s algorithm automatically rejected the application without providing a clear justification. The algorithm, based on pre-defined criteria and rules set by the bank, triggered the rejection, leaving the customer questioning the decision.

Despite inquiries from the complainant, the bank only offered generic information about its scoring procedure, failing to provide specific details relevant to the individual case. Crucially, the bank refused to disclose the reasons behind their assessment of poor creditworthiness in this particular instance. This lack of transparency prevented the customer from understanding the data and factors influencing the automated rejection, as well as the specific criteria leading to the denial of their credit card application. Consequently, the customer was unable to effectively challenge the automated decision.

The Berlin DPA concluded that the bank’s failure to provide clear and specific reasons for the automated rejection constituted a violation of several key articles of the GDPR. Specifically, the DPA cited infringements of Article 22(3), concerning the right to explanation of automated decisions, Article 5(1)(a), relating to the principle of lawfulness, fairness and transparency, and Article 15(1)(h), concerning the right of access to information about automated decision-making.

In determining the 300,000 euro fine, the Berlin DPA considered the bank’s significant turnover and the deliberate design of the application process and information disclosure practices. However, the DPA also acknowledged mitigating factors, including the bank’s admission of the violation, its implementation of process changes, and its commitment to further improvements. This acknowledgement resulted in a reduced fine, although it remained substantial to reflect the severity of the GDPR breaches and the importance of algorithmic transparency in financial services. This case underscores the critical need for financial institutions to provide clear and understandable explanations when using automated systems to make decisions, especially those impacting consumers’ access to financial products, and highlights the potential for significant financial penalties for non-compliance with GDPR regulations regarding automated decision-making processes.