At the end 2023 the Court of Justice of the European Union announced two judgments on issues related to the application of the General Data Protection Regulation (“GDPR“). Although adopted under specific cases, the judgments provide interpretations that are binding on all national law enforcement authorities within the European Union. Therefore, both judgements should be noted, since they concern issues which frequently arise in practice.
The first judgement is related to the question whether the process of providing a financial assessment of a potential borrower constitutes automated decision-making (so-called scoring).
The case arises from the business model of a German private economic enquiry agency, whose business is related to providing information on the credit worthiness of the consumers. The agency makes a prediction of the consumers’ behavior – whether the consumer would be able to repay a bank loan. The forecast is based on certain personal characteristics of the consumers, assigning them to a group of other individuals with comparable characteristics (e.g. gender, age, occupation, religion, etc.). Based on the past behaviour of this group, the agency provides predictions about the potential future behaviour of the applicant. Further, the agency shares the assessment of the agency with its clients, such as banks or credit institutions.
After receiving such assessment from the agency, a bank refused to grant a loan to a certain individual. In addition, the economic enquiry agency refused to provide the individual with information on how it had calculated the assessment, claiming that the algorithm used thereunder constitutes a trade secret.
Undoubtedly, the automatic refusal of online credit applications represents automated decision-making within the meaning of the GDPR. However, in this case, the refusal was not automatic, by an algorithm, rather the decision has been taken by a representative of the credit institution. Only the process of making the financial assessment was automatic. Hence, should the rules of the GDPR apply thereunder?
The response of the European Court of Justice is positive. The bank decides whether or not to grant a loan on the basis of the assessment of the economic enquiry agency. Therefore, this assessment significantly affects the consumers and shall be carried out in compliance with the requirements of the GDPR.
The Court also recalled the requirements, which shall be met, namely – that there is a legal ground for the automated decision-making process and that the individuals (credit applicants) are provided with information about the rationale used under the assessment. Appropriate mathematical and statistical procedures shall be applied to ensure that the risk of error is minimised and that there are no discriminatory consequences for the consumer. It is also mandatory under the GDPR that the individual is provided with the right to human intervention in the process.
The second judgment of the Court of Justice of the European Union on the application of the GDPR, announced in December 2023, relates to issues concerning the enforcement of sanctions for breach of the legal requirements for the processing of personal data.
The case that led to the decision also involved a German data controller, namely a company and the corporate group which it belongs to, where all the companies therein are processing personal data of individuals – tenants of residential and commercial premises. In the course of an inspection, it was found that personal data was being unlawfully collected and stored in an electronic filing system. The main inconsistencies of the system are, as follows – it does not allow to trace whether the storage of specific data is necessary, and it does not have the functionality to ensure the deletion of personal data when it is no longer needed. For these infringements, the data administrator has been fined nearly EUR 15 million.
The Court of Justice of the European Union gives two very important interpretations on the application of the GDPR in the part concerning the sanctioning of infringers, namely:
The identification of the specific individual who has committed the infringement is not a condition for the lawful imposition of a fine under the GDPR. The most relevant matters for this purpose are related to the establishment of the infringement of the data processing rules.
Hence, the companies can be sanctioned for the actions of their representatives and managers, but also for the infringements committed by any person who acts on behalf of the company in course of its business activities.
However, for the lawful imposition of a fine under the GDPR, the person shall has acted in fault. The judgement states that the violation is performed in fault even in cases where the data controller is not aware of the fact that it is violating the GDPR. Moreover, the fact if the management of the company is aware of the violation is not relevant for this purpose.
It is therefore sufficient to establish that the person acting on behalf of the company could not have been unaware of the unlawful nature of the data processing practice. Of course, this is a matter which will be subject to analysis on a case-by-case basis.
The content of the present article is for informational purposes only and does not constitute legal advice.
For further information contact:
Mileslava Bogdanova, Senior Associate
mileslava.bogdanova@kdp-law.com
