Your bank knows more about you than you do
And here's how your rights under the GDPR might help you out in this
Imagine that you are applying for a mortgage for the house that you’ve been checking for a long time for your family. You’re applying at your bank with high hopes, having read the terms and conditions, feeling well-prepared, checked with some friends who also applied recently for mortgage. You already had a history of loans that you could pay off, and you are mostly familiar with how banks work. After checking your income, making some calculations, you are ready to make this decision.
And then you are rejected.
This might repeat with other banks as well with often vague replies, endless legal references, without specifying the exact reason. Then you might be wondering, what the reason is behind. Is it really about your income, your background, or is it because of external circumstances? Maybe the bank considered some personal aspects? How did the bank come to this decision?
In this article, you will learn about how automated decision-making works, what are your rights, and what might surprise you about credit scoring in general.
Credit scoring = automated decision-making
If you live in the EU, you have certain rights under the General Data Protection Regulation (or simply GDPR1). Credit scoring means automated decision-making under Article 22 GDPR2, and quite uniquely in the world, this empowers you with additional rights.
In fact, under Article 22, the general rule is that it is prohibited to conduct automated decision-making that leads to legal or similar effects on you, except:
If there is a specific law allowing the bank to do so.
You agreed to it by signing a contract that specifies this possibility.
If this is based on your explicit consent.
How this is ensured, it largely depends on the bank and on the EU Member State where you live. Normally you should receive this information at least as part of a privacy notice and in the terms and conditions. Naturally, you will need the time, resources, some knowledge on financial institutions and possibly on data protection law as well.
In certain situations, banks actually have legal obligations that require them to conduct a creditworthiness assessment on you before allowing to give a credit. This is explicitly stated in Article 8 of the Consumer Credit Directive (or CCD3), although it largely varies per Member State in the EU how it is implemented in practice. The purpose behind this - apart from the business interests of banks - is also to prevent indebtedness on a social level (as further elaborated in Recital 26 of the CCD). For example, the French solution on this is a debtors list4 maintained by Banque de France, which is a public institution and ensures stronger rights for the consumers. Banque de France ensures you the right to erasure under the GDPR after you paid off past debts, leading to a fair and highly consumer-friendly solution.
In certain countries, such as Germany, Austria, Italy or Spain, this mandatory credit scoring is usually (at least partly) outsourced to specialized credit rating agencies, such as SCHUFA, Crif, Experian or Equifax. These companies have large databases about millions of people who might not even be slightly aware that a quite detailed profile is held about them, this is automatically assessed by specific algorithms, and their information is sold to an industry worth billions.
Other financial institutions might rely on contractual obligations when applying for loans. This means that credit scoring is simply incorporated into the terms and conditions. Although this approach is legal when strictly interpreting the GDPR, this approach likely leads to decreased transparency on the overall process and credit scoring will be hidden between other (otherwise much less relevant) clauses, contrary to a specific privacy notice. Banks could rely on explicit consent as well for credit scoring specifically, but this is an uncommon practice because of the legal environment in the financial sector.
Your data concerned
Regardless of how automated decision-making is justified under Article 22 GDPR, a decision is often already made when you enter a bank branch or hit the 'apply' button for a credit. This decision may even be made within seconds. This fully automated decision might take into account:
Your country of origin.
Your previous debts, including litigations (even if you won or paid off all your debts).
Your age.
Your type of housing: if you rent or if you own a house already.
Where you work.
Your income.
Your relationship status.
The type of device you are using.
Your level of education.
And this is not all. Based on this information, the credit rating agency assigns you a number of how creditworthy you are. According to the number you were assigned, if this is too low, you will be rejected – no matter what. In fact, you will receive an additional entry that you applied for a loan, which can decrease your chances for applying to the next loan. If your score is high, good news for you – you got the loan!
Your rights
No matter the outcome, you can exercise your rights as a data subject under the GDPR in the EU. Firstly, you have the right of access under the GDPR (Article 15), which allows you to somewhat rebalance the power between you and the bank. This will allow you to understand what data your bank has about you and where the bank got that information from. You might realize that some entries are incorrect, outdated or there could be credits that you are not aware of.
Attached to automated decision-making, you also have the right for human intervention (Article 22(3) GDPR). This means that if you disagree with the bank’s decision, you have the right to contest it, and the bank has to manually reassess the decision on your creditworthiness. In addition, the bank is required to give you meaningful information on the logic involved behind that decision (which should be already done in their privacy notice).
Then, you have the right to erasure or the right to be forgotten in certain cases (Article 17 GDPR). For example, if you are rejected, you might ask your bank to delete your application information. However, the right to erasure is not an absolute right. As the financial sector is a highly regulated environment, legal obligation can prevent banks from deleting your data (such as „Know Your Customer” or „KYC” requirements, laws related to anti-money laundering, etc.). You might need to have a good legal argumentation for such cases.
Additionally, if you discover incorrect information about you – such as factually not correct entries at the credit scoring agency – you might exercise your right to rectification to have it corrected (Article 16 GDPR). In certain cases – for example if you are in a legal dispute with the bank – you might restrict the processing of your personal data. Lastly, you also have the right to data portability, i.e. you might ask your bank to transfer all your data to another bank in a commonly used, machine readable format, although subject to conditions under Article 20 GDPR.
What to do if the bank disagrees with your request or fails to reply in one month? You might file a complaint at your local data protection authority – you will certainly get a reply after that.
The GDPR as a tool
The GDPR is often seen as a very technical regulation and sometimes with limited practical application. However, this example shows that there are very practical, and real-life situations where you can rely on it – be it in your financial life, as a consumer of any business, when you deal with public administration or if you want to learn more on what social media platforms know about you.
The GDPR is a tool for these situations. Use it!
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR)
An interpretation reinforced by the Court of Justice of the EU in its famous SCHUFA-decision: C-634/21, para. 73
Directive 2008/48/EC of the European Parliament and of the Council of 23 April 2008 on credit agreements for consumers and repealing Council Directive 87/102/EEC (CCD)
File of incidents of reimbursement of personal credits (FICP) by Banque de France (in French): https://www.service-public.fr/particuliers/vosdroits/F17608