Background
A German data subject (OQ) was denied a loan by a bank based on a credit score provided by SCHUFA Holding AG. OQ requested from SCHUFA a detailed account of how the score was calculated and its logic, but SCHUFA declined, citing trade secrets and arguing the bank—not SCHUFA—made the decision. The German Administrative Court (VG Wiesbaden) referred questions to the CJEU on whether generating such a credit score constitutes “automated decision-making” under Article 22 of the GDPR when a third party relies heavily on it. The CJEU held that where a third party “draws strongly” on a credit score, the processing of that score qualifies as an “automated decision-making” to which Article 22 applies.
AI interaction
“A probability value" issued "by the controller” is capable of being an automated decision when a third party “draws strongly” on it to reach a contractual decision. The Court thus extended Article 22 to include not only the final decision by a controller but also upstream predictive scoring if heavily relied upon. This introduces a broader view of algorithmic accountability: entities providing algorithmic inputs, like credit agencies, can be directly subject to the automated-decision rules in GDPR.
Note: The CJEU ruling makes credit-agency scoring processes potentially subject to the GDPR’s prohibition on fully automated decision-making, expanding the scope of algorithmic accountability upstream of end decisions.