(022) 820 801 centru@datepersonale.md
DP header logo
img mobile menu img close mobile menu
ROENРу
ico search toggle
datepersonale.md
/
Comunicate
/
German Federal Data Protection Authority imposes 300 000 euro fine against bank after lack of transparency over automated rejection of credit card application

German Federal Data Protection Authority imposes 300 000 euro fine against bank after lack of transparency over automated rejection of credit card application

img 976 Views

The National Centre for Personal Data Protection (NCPDP), for information and enforcement purposes, informs about the fine of 300,000 euros imposed by the German Federal Data Protection Authority (DPA) on a bank for lack of transparency in an automated individual decision.

An automated decision is a decision made by an IT system based solely on algorithms and without human intervention. In this case, Regulation (EU) 2016/679 (GDPR) provides for special transparency obligations. Personal data must be processed in a way that is easy to understand for data subjects. Data subjects have the right to an explanation of the decision taken after a proper assessment.

In this case, however, the bank did not take this into account in its digital application for a credit card. Using an online form, the bank requested various data about the applicant’s income, occupation and personal details. Based on the requested information and additional data from external sources, the bank’s algorithm rejected the customer’s application without any specific justification. The algorithm is based on criteria and rules previously defined by the bank. As the customer had a good Credit Score and a high regular income, he doubted the automated rejection and complained to the DPA in Germany.

A bank is obliged to inform its customers of the main reasons for rejection when making an automated decision on a credit card application. This includes factual information on the database and the decision-making factors as well as the criteria for rejection.

As a result of the investigation, the German DPA found that the bank violated Articles 22(3), 5(1)(a) and 15(1)(h) of the GDPR. In imposing the fine, the bank’s high turnover, the intentional structure of the application and information request process were in particular taken into account.

The NCPDP, as the national supervisory authority for the personal data processing, emphasises the responsibility of personal data controllers to comply with the provisions of the legislative framework for the protection of personal data and to ensure that personal data processing operations comply with the legislation in force.

img
Reprezentanții Direcției Regionale Nord a Inspectoratului General al Poliției de Frontieră instruiți în domeniul protecției datelor cu caracter personal

       La data de 12 martie 2026, Centrul Național pentru Protecția Datelor cu Caracter Personal (CNPDCP) a organizat un curs de instruire în domeniul protecției datelor cu caracter personal destinat reprezentanților Direcției Regionale Nord a Inspectoratului General al Poliției de Frontieră (IGPF). Activitatea s-a desfășurat la sediul acestora din municipiul Edineț.     […]

img 24 Views
img
Mesaj de felicitare din partea echipei CNPDCP, cu prilejul Zilei Internaționale a Femeii – 8 Martie

Anual, la data de 8 Martie, marcăm Ziua Internațională a Femeii – un prilej de a celebra curajul, devotamentul, sensibilitatea și forța care definesc femeile în toate rolurile pe care le îndeplinesc. Cu această ocazie, echipa Centrului Național pentru Protecția Datelor cu Caracter Personal vă adresează cele mai alese gânduri și sincere felicitări. Vă mulțumim […]

img 85 Views
img Video gallery
img Information