The Finnish Data Protection Authority has ordered a company to modify its automated practices for assessing creditworthiness.

The authority held that the Credit Decision Service in the company’s online environment is an automatic decision-making procedure under Article 22 GDPR.

The company was ordered, within 30 days to:

  • amend its disclosure information so that the borrower could understand the reasons for the decision.
  • provide individuals with information on the logic behind the decision-making process, its relevance to the credit decision and its consequences for the borrower.

Details from the Finnish Data Protection Authority.