The report can be found here.
Summary
This report is covering more than 70 Court judgments, decisions from Data Protection Authorities (DPAs), specific Guidance and other policy documents issued by regulators. Some interesting cases (for us) are highlighted below:
Case 15 (Klarna): Information about “the logic involved” is due where a bank relies on ADM to decide on credit applications or to detect potential fraud or money laundering
On March 28, 2022, the Swedish DPA (IMY) imposed on Klarna Bank AB a 7.500.000 SEK fine (approximately 750.000 EUR) for several infringements of transparency requirements under the GDPR. Among other findings, the regulator noted that, in a period between March and June 2020, the controller did not provide meaningful information about the rationale, meaning and foreseeable consequences of the qualifying ADM it carried out for the purposes of deciding on credit applications it received from its customers and for detecting potential cases of fraud or money laundering. In this context, the IMY stressed that Klarna’s data protection notice “only indicate[d] that certain types of information [were] used in connection with the automated decisions” (like contact, identification and financial information), but it did not explain to customers which circumstances may be decisive for a negative credit concession decision. The IMY considered that “the requirement to provide meaningful information on the logic behind an automated credit decision entails the indication of the categories of data that are crucial in the context of an internal scoring model and the possible existence of circumstances that always lead to a refusal decision.” As this information was not included in Klarna’s notice, the IMY established that the controller breached Articles 13(2)(f) and 14(2)(g) GDPR.
Case 16 (EDP Comercializadora): Creating commercial profiles of customers may not be qualifying ADM, but still requires detailed information about the profiling involved
In a decision from May 2021, the Spanish DPA (AEPD) fined an energy company (EDP Comercializadora) 1.000.000 EUR for not complying with Article 13 GDPR, finding that, among other issues, it did not sufficiently inform data subjects about the profiling it engaged in for marketing purposes. The DPA concluded that the company’s customers did not receive adequate information about the processing of their personal data at the point of data collection (e.g., when entering into a contract by phone or electronic means), including about how their commercial profiles were created by the company and about what the practical consequences of such creation were (i.e., about the decisions which are taken on that basis). Although the DPA found that the company’s creation of customer profiles to send personalized marketing communications did not amount to Article 22-covered ADM, it still ruled that controllers that carried out profiling activities are required to be transparent towards data subjects about their profiling practices and how they can exercise their right to object to such profiling, under Article 21. To reach this conclusion, the DPA referred to the EDPB Profiling and ADM guidelines and relied on Recital 60 and on the obligation to disclose the purposes of processing (under Article 13(1)(c)), including when the purpose is profiling and even if the profiling is not covered by Article 22. In doing so, the DPA rejected the submission of the company that the profiling was in fact associated with the purpose of personalized marketing communications and showed that in the General Terms submitted by the company, profiling was enumerated among the purposes for which personal data is used. On a last note, the AEPD highlighted that it is possible to find, in any given case, a breach of Article 13 GDPR transparency obligations, even where there is no infringement of Article 22 and Article 6, as these such provisions are independent.