The Belgian Data Protection Authority has adopted a new decision that applies the principles on automated decision-making set out by the CJEU in its SCHUFA I decision of 7 December 2023. Some specific considerations:
– This decision is a “prima facie” one, i.e. not yet a full decision on the merits, to order the controller to comply with a data subject request (re access + erasure). The BDPA is giving the controller the opportunity “to still comply with [Articles 5, 6 and 22 GDPR]”.
– The controller here is a car sharing platform provider that had automatically suspended a user account “further to a standard evaluation […] of payment history, based on online payment habits of the [data subject]”, carried out by a third-party credit agency. That suspension was irreversible, even if the data subject were to change means of payment.
– The BDPA quotes SCHUFA I excerpts stating that Art. 22 GDPR on automated decision-making notably covers the establishment of a probability value such as that one [= credit scoring with an impact on decisions to grant a loan].
– While this credit scoring was clearly profiling, the BDPA’s decision lacks detail on why this is a *decision* with legal effects or similarly significantly affecting the data subject (so the “decision” part of automated decision-making is not yet explained here). Perhaps a future decision on the merits will explain that further, but I think we can already assume that the BDPA considers suspension of a service and related contract as having legal effects.
– While SCHUFA I examined whether the credit reference agency itself is carrying out automated decision-making, the focus in this BDPA decision lies on the recipient of that credit score.
The resulting obligations (in particular transparency and legal grounds) are here examined mainly from the perspective of that “second” controller*: “even if the evaluation data was obtained by a third-party agency, […] the defendant is nonetheless responsible for the processing of all the data processed” and “must therefore provide the data subjects with the information they request pursuant to Article 15 of the GDPR, and in particular the information relating to the logic which led the defendant to take the automated decision”.
* apart from one footnote that refers to “the controllers, given that the defendant calls upon agencies likely to be qualified as [controllers themselves]
– The President of the Litigation Chamber delegates this prima facie decision to another member of the Litigation Chamber – this practice, which seems a useful way of managing workload, will assumedly disappear once the mandate of current Litigation Chamber members ends (see comments here: https://lnkd.in/eW9_4yet ).
Decision (in French): https://lnkd.in/eDTytwhF
data protection privacy
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗