Slovenia, Information Commissioner, Opinion no. 07121-1/2021/2502, 21 December 2021

Member State
Slovenia
Topic
Rule of law
Sector
Rule of Law and Predictive Justice
Deciding Court Original Language
Informacijski pooblaščenec Republike Slovenije
Deciding Court English translation
Information Commissioner of the Republic of Slovenia
Registration N
07121-1/2021/2502
Date Decision
21 December 2021
ECLI (if available)
N/A
National Follow Up Of (when relevant)
N/A
EU legal sources and CJEU jurisprudence
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR), Articles 13, 14, 22, 35

Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (wp251rev.01)
ECtHR Jurisprudence
N/A
Subject Matter
Opinion of the Information Commissioner about profiling and automatised decision-making concerning credit allocation by a commercial bank.
Legal issue(s)
In the opinion at hand, the Information Commissioner:
-    emphasises the obligation to carry out a data protection impact assessment by an individual bank and highlights the key aspects that need to be assessed in such a case;
-    classifies automated decision-making on credit as an instance of automated decision-making which has legal effects concerning natural persons or similarly significantly affects them and explains that a general prohibition on decision-making based solely on such automated processing is established following Article 22 of the GDPR;
-    finds that national legislation does not provide for SISBON to be linked to the databases of individual banks, nor does it allow for the automated transfer of personal data of individuals from SISBON to the databases of banks for profiling or automated decision-making, without the involvement of a human being; and
-    highlights aspects where the risks are not only related to data protection but also to the protection of consumer rights and the prevention of abuse in debt.
Request for expedited/PPU procedures
N/A
Interim Relief
N/A
National Law Sources
Personal Data Protection Act (Official Journal of the RS, no. 94/07), Article 84

Central Credit Register Act, Articles 19, 21

Rules of the system for the exchange of information on indebtedness of natural persons - SISBON (the SISBON Rules).

Consumer Credit Act, Articles 5, 7, 10
Facts of the case
The Information Commissioner has received a question concerning the use of automated decision-making in the consumer credit approval process, namely whether automated decision-making is allowed in relation to the credit approval steps following the retrieval of data from SISBON (System for Information Exchange - an information system for the collection and processing of data relating to the actual and potential indebtedness and the correctness of the fulfilment of contractual obligations by customers), including retrieval of data from SISBON through the initiation of a technical overwrite command (by a bank employee).

It was clarified at the time of the question that, in addition to the data obtained from SISBON, the data provided by the customer and the data already held by the bank on the customer are also used at that stage for the decision.

The question asked whether such a process could be considered not to be subject to the limitations of Article 22 of the GDPR since a bank employee is always involved in the process, or whether it could be considered that the decision to grant credit is necessary for the conclusion of the contract, therefore it could be said that automated decision-making is allowed in the decision-making process to grant credit, under Article 22(2)(a) of the GDPR.
Reasoning (role of the Charter or other EU, ECHR related legal basis)
The Information Commissioner (the IC) emphasises at the beginning that it is the responsibility and task of the individual bank to assess the admissibility and compliance of a specific automated processing and credit approval decision-making procedure with the GDPR and the national legislation. The IC points out that the question of when and whether or not it is permissible to link databases to obtain and automate the input of personal data to or from databases is only one of the aspects that must be subject to such assessment. It adds that the abovementioned question is not specifically covered by the GDPR but was covered by then-applicable Article 84 of the Personal Data Protection Act.

The IC notes that a data protection impact assessment should first be carried out in accordance with Article 35 of the GDPR to be able to assess all aspects of the processing in question and explains that, in the context of the opinion in question, the IC can only provide clarifications on what are the key aspects of such assessment. Additionally, the IC stresses that, in the situation in question, such an impact assessment is most likely mandatory and points to the list of processing operations to which mandatory assessment applies, published on the IC's website, in accordance with Article 35(4) of the GDPR.

The IC explains that an impact assessment is also useful in situations, such as the one in question, where the controller is not sure whether the processing operations fall within the definition of Article 22(1) of the GDPR and what safeguards should be put in place in case they fall within one of the permissible exemptions. The IC states that in the situation in question, it is essential to consider the legal bases for obtaining personal data; how this data will be obtained and from which sources; how the processing and the individual stages of the processing will be reported in accordance with Articles 13 and 14 of the GDPR; whether and to what extent and at what stages automated decision-making systems on granting credit will be used and, if so, the appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subjects.

The IC clarifies that in such situations, the controller must also, as part of the impact assessment, identify and record the degree of any automated and human intervention in the decision-making process, and emphasises that, according to the guidelines issued by the European Data Protection Board (EDPB), for the intervention to be considered human, the controller must ensure that any control over the decision is meaningful (carried out by someone who has the power and authority to change the decision) and not just a symbolic act. The IC thus concludes that the arguments that automated decision-making would prevent errors made by a human being acting as a decision-maker suggest that the person's role in such a case would not be aimed at substantively changing the decision but would be purely symbolic and that this intervention would not be considered human.

The IC further points out that, according to the EDPB guidelines, profiling consists of three elements - an automated form of processing; that is carried out on personal data; and aims to assess the personal aspects of the individual and explains that there are three possible ways to use profiling in the context of Article 22 of the GDPR: general profiling; decision-making based on profiling; and purely automated decision-making, including profiling which has legal effects on natural persons or similarly significantly affects them.

The IC points out that the GDPR itself classifies automated decision-making on credit as an instance of automated decision-making which has legal effects concerning natural persons or similarly significantly affects them (recital 71 of the GDPR). It explains that Article 22 of the GDPR while providing for certain exceptions, establishes a general prohibition on such decision-making based solely on automated processing and that this prohibition applies regardless of whether or not the data subject takes action concerning the processing of their data. In the view of the IC, the case in question is likely to involve both profiling and automated decision-making with legal effects for the individual, whatever the sources of the input of the data to be processed, and even if it might not involve the linking of bank's databases with SISBON.

The IC states that, with regard to access to SISBON data, Article 19(4) and (5) of the Central Credit Register Act (the CCRA) stipulate that data may only be accessed by authorised persons and that, in the context of the protection of personal data, it is necessary to ensure traceability with regard to the access to data and the extraction of data from the system, in such a way that it is possible to identify the authorised person who accessed or extracted data from the system and to verify the reasons for which that person accessed or extracted certain data. The IC therefore finds that the foregoing indicates that the CCRA does not provide for SISBON to be linked to the databases of individual banks, nor does it allow for the automated transfer of personal data of individuals from SISBON to the databases of banks for profiling or automated decision-making in that way, without the involvement of a human being. The IC adds that, at the implementation level, this is also provided for in the Rules of the system for the exchange of information on indebtedness of natural persons - SISBON (the SISBON Rules).

The IC further states that, according to Article 21 of the CCRA, the extract of data from SISBON is an integral part of the credit documentation maintained by the SISBON member or the creditor involved, and that there are limitations on the use of this data in the context of direct or targeted marketing and in deciding whether or not to open a transaction account for an individual, which the bank is required to take into account and comply with when defining the procedure for dealing with a customer in connection with the conclusion of a credit transaction.

The IC further highlights aspects where the risks are not only related to data protection but also to the protection of consumer rights and the prevention of abuse in debt.

The IC states that one such aspect is the identification of the customer to lawfully enter into a transaction, e.g. a loan or other debt transaction, which must be carried out in accordance with the SISBON Rules. The IC further underlines the principle of good faith and fair dealing of creditors, which is derived from Article 5 of the Consumer Credit Act (the CCA), the requirement under Article 7 of the CCA to provide prior information before concluding a credit agreement and the requirement under Article 10 of the CCA to assess the creditworthiness of the consumer based on information on the consumer's income or assets obtained from the consumer and SISBON.

Lastly, the IC expresses doubts as to whether the requirements set out in Article 7 of the CCA are met in the case where the offer of a credit agreement is entirely the result of automated decision-making using an algorithm and without human intervention.
Relation of the case to the EU Charter
N/A
Relation between the EU Charter and ECHR
N/A
Use of Judicial Interaction technique(s)
consistent interpretation
Horizontal Judicial Interaction patterns (Internal – with other national courts, and external – with foreign courts)
N/A
Vertical Judicial Interaction patterns (Internal – with other superior national courts, and external – with European supranational courts)
The Information Commissioner refers to the EDPB Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 in relation to the question of when the profiling takes place and the role of human intervention in the decision-making process.
Strategic use of judicial interaction technique (purpose aimed by the national court)
The Information Commissioner refers to the EDPB Guidelines to support its opinion.
Impact on Legislation / Policy
N/A
Notes on the national implementation of the preliminary ruling by the referring court
N/A
Did the national court quote case law of the CJEU/ECtHR (in particular cases not already referred to by the CJEU in its decision) or the Explanations?
N/A
Did the national court quote soft law instruments, such as GRECO Reports, Venice Commission, CEPEJ Reports, or CCEJ Reports?
N/A
Did the national court take into account national case law on fundamental rights?
N/A
If the court that issued the preliminary reference is not a last instance court, and the “follow up” was appealed before a higher court, include the information
N/A
Was there a consensus among national courts on how to implement the CJEU's preliminary ruling; and were there divergences between the judiciary and other state powers regarding the implementation of the preliminary ruling?
N/A
Impact on national case law from the same Member State or other Member States
N/A
Connected national caselaw / templates
On 7 December 2023, the CJEU ruled in the SCHUFA case. It held that a credit score issued using a probability-based scoring system by one party (a credit rating agency - SCHUFA) is considered to be a decision within the meaning of Article 22(1) of the GDPR when a third party (a lender) draws strongly on that credit score to reach the end decision on the loan. The CJEU pointed out that three cumulative conditions need to be met for Article 22(1) to apply: a decision must be made; it must be based solely on automated processing, including profiling; and it must produce legal effects concerning a natural person or similarly significantly affect them. The CJEU found that all of the conditions were met in the case in question and that consequently, SCHUFA was not only engaged in preparatory acts but also automated individual decision-making because the lender drew strongly on the credit score provided by the agency.

The question is to what extent this case is relevant to the situation addressed in the opinion of the Information Commissioner. It is important to note that SISBON is not a credit rating agency but a collection of personal data which is indeed relevant when determining the creditworthiness of natural persons, on which the approval of a transaction and the setting of the terms and conditions for a particular service depend. Therefore, SISBON does not provide a bank with a credit score but rather a bank determines (with or without human intervention) the score based on information obtained from SISBON, customers themselves and bankˈs databases. In the case in question, the limitations of Article 22 of the GDPR seem to constrain only the individual bank, which however does not mean that the retrieval of SISBON data can be automatic without human intervention, as the national law does not foresee this.
Author
Staša Tušar, University of Ljubljana
History of the case: (please note the chronological order of the summarised/referred national judgments.)
1.    Information Commissioner, Opinion no. 07121-1/2021/2502 of 21 December 2021
 
Project implemented with financial support of the Fundamental Rights & Citizenship Programme of the European Union
© European University Institute 2019
Villa Schifanoia - Via Boccaccio 121, I-50133 Firenze - Italy