German City's DPA Fines Bank for Violating GDPR With Automated Decision-Making
A Hamburg, Germany, company from the financial industry that violated the GDPR by failing to tell several customers why their credit card applications were rejected must pay 492,000 euros ($578,000), the city's DPA announced Tuesday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The actions of the bank, which the DPA didn't name, violated customers' rights regarding automated decision-making, the watchdog said, according to a translation.
Despite their credit worthiness, the customers were rejected by algorithms and without human intervention, the DPA said. When the customers demanded justification for the decision, the company failed to meet its statutory information obligations.
Using automated decisions based on algorithms and without human intervention is associated with special risks to people's rights, the DPA noted. It's allowed only in narrow conditions under the GDPR, which also requires that data controllers give people meaningful information about the logic involved in the automated decisions.
The financial institution made considerable efforts to improve its processes and to cooperate with the regulator, the DPA said, adding that it considered those factors when setting the fine.
The Hamburg DPA has imposed fines totaling about 775,000 euros ($910,000) for GDPR violations so far this year, it noted. That includes fines related to illegal advertising and penalties imposed on police for interrogating private individuals in an official database without legal reason.