The Finnish Data Protection Authority has ordered a company to modify its automated practices for assessing creditworthiness.
The authority held that the Credit Decision Service in the company’s online environment is an automatic decision-making procedure under Article 22 GDPR.
The company was ordered, within 30 days to:
- amend its disclosure information so that the borrower could understand the reasons for the decision.
- provide individuals with information on the logic behind the decision-making process, its relevance to the credit decision and its consequences for the borrower.