{"id":72465,"date":"2023-12-22T23:44:37","date_gmt":"2023-12-22T22:44:37","guid":{"rendered":"https:\/\/www.lexxion.eu\/dpi\/data-protection-insider-issue-104\/"},"modified":"2024-05-12T00:36:53","modified_gmt":"2024-05-11T22:36:53","slug":"data-protection-insider-issue-104","status":"publish","type":"dpi","link":"https:\/\/www.lexxion.eu\/en\/dpi\/data-protection-insider-issue-104\/","title":{"rendered":"Data Protection Insider, Issue 104"},"content":{"rendered":"

–\u00a0<\/span><\/a><\/strong>CJEU: Credit Scoring Constitutes Automated Decision-Making <\/strong>–<\/span><\/a><\/strong><\/p>\n

On 7th December, the CJEU ruled that credit scoring constitutes automated decision-making in the sense of Article 22 (1) GDPR in OQ v Land Hessen. <\/a>As to the facts of the case, the applicant in the main proceedings, OQ, was refused a loan by a credit institute because of a negative credit rating by SCHUFA Holding which carries out creditworthiness checks and transmits these to credit institutes such as banks. The applicant requested information on how the creditworthiness profile was created, but received only limited information, as SCHUFA claimed that the rest constitutes a trade secret, and also because the actual decision on granting or refusing a loan is taken by the credit institutes which receive the detailed information by SCHUFA. Eventually, the dispute reached German courts, which asked the CJEU whether the credit rating of an individual, transferred by SCHUFA to banks, falls under the definition of an \u2018automated individual decision-making\u2019 within the meaning of Article 22 (1) GDPR. In its ruling, the CJEU answered the question in the affirmative. To reach its conclusion, it analysed separately the meaning of the following three concepts, which constitute the conditions for the applicability of Article 22 (1) GDPR, and concluded that they are fulfilled in casu: (1) \u2018decision\u2019, (2) \u2018\u2018based solely on automated processing, including profiling\u2019\u2019, and (3) a decision which produces \u2018\u2019legal effects\u2019\u2019 or which has a significantly similar effect. As to the first condition, the CJEU ruled that the concept of a \u2018decision\u2019 has to be given a broad meaning, referring also to \u2018a number of acts which may affect the data subject in many ways, since that concept is broad enough to encompass the result of calculating a person\u2019s creditworthiness in the form of a probability value concerning that person\u2019s ability to meet payment commitments in the future.\u2019 As to the second condition, the CJEU ruled that the credit scoring performed by SCHUFA is clearly an act of \u2018profiling\u2019. Third, as to the concept of a \u2018legal effect\u2019, the CJEU ruled that \u2018in circumstances such as those at issue in the main proceedings, in which the probability value established by a credit information agency and communicated to a bank plays a determining role in the granting of credit, the establishment of that value must be qualified in itself as a decision producing vis-\u00e0-vis a data subject \u2018legal effects concerning him or her or similarly significantly\u2019 affecting the data subject \u2018within the meaning of Article 22(1) of the GDPR\u2019. Finally, the CJEU recalled that the profiling in casu is in principle prohibited by the GDPR, unless one of the exceptions under Article 22(2) GDPR applies. It focused especially on the possibility that national law provides a legal basis for the profiling (Article 22 (2) (b) GDPR), referring to Article 31 BDSG (Federal German Data Protection Act) and expressed some doubts whether it can constitute such a legal basis and whether the profiling in question complies with Articles 22(2)(b) and (4) and Articles 5 and 6 GDPR.<\/p>\n

 <\/p>\n

\n

– CJEU on Data Breaches and Damages –<\/strong><\/a><\/span><\/p>\n

On 14th December, the CJEU ruled that a data breach does not automatically mean that the controller implemented insufficient technical and organisational measures and that the fear of misuse of the leaked personal data may be enough to constitute \u2018non-material damage\u2019 under Article 82 (1) GDPR in VB v Natsionalna agentsia za prihodite. <\/a>As to the facts of the case, the applicant in the main proceedings, VB, was one of those affected by a hack of the IT systems of the Bulgarian tax authority, following which the personal data of about 6 million individuals was leaked. VB requested compensation for the leak of their data and eventually the dispute resulted in several preliminary ruling questions to the CJEU concerning, essentially, two sets of questions, namely the concepts of appropriate technical and organisational measures (TOMs) and data breach, on one hand, and the question of compensation under the GDPR, on the other hand. The CJEU provided the following five clarifications. First, the CJEU ruled that the unauthorised disclosure of or access to personal data are not sufficient to determine that the controller did not implement adequate TOMs. Second, the CJEU established that under Article 32 GDPR, \u2018the appropriateness of the technical and organisational measures implemented by the controller under that article must be assessed by the national courts in a concrete manner, by taking into account the risks associated with the processing concerned and by assessing whether the nature, content and implementation of those measures are appropriate to those risks.\u2019 Third, the CJEU confirmed that under the principle of \u2018accountability\u2019, the controller bears the burden of proof that they have taken the necessary security measures and an expert\u2019s report does not constitute sufficient proof. Fourth, the CJEU confirmed that the controller must pay damages under Article 82 (3) GDPR where the controller is responsible for the damages which occurred, even where the damage is the result of a \u2018third party\u2019 unlawfully gaining access to the personal data in question. Fifth, the CJEU established that \u2018Article 82(1) of the GDPR must be interpreted as meaning that the fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties as a result of an infringement of that regulation is capable, in itself, of constituting \u2018non-material damage\u2019 within the meaning of that provision.\u2019<\/p>\n<\/div>\n

 <\/p>\n

\n

–\u00a0<\/span><\/a><\/strong><\/span>CJEU Repeats: Non-material Damages Do Not Require a \u2018De Minimis threshold\u2019 <\/a><\/strong>–\u00a0<\/span><\/a><\/strong><\/span><\/p>\n

On 14th December, the CJEU ruled that for an individual to be entitled to non-material damages, no \u2018de minimis threshold\u2019 has to be met, but that the affected individuals need to demonstrate that they have suffered from the negative consequences of the unlawful processing of their data in VX, AT v Gemeinde Ummendorf.<\/a> As to the facts of the case, the applicants in the main proceedings had their personal data published by the municipality of Ummendorf without their consent. They claimed damages under Article 82(1) GDPR. Their request was dismissed, because German law requires a certain minimum threshold for the suffered damages to be met and which was not fulfilled in casu. The dispute resulted in a preliminary ruling question on the interpretation of the concept of non-material damages under Article 82(1) GDPR. The CJEU ruled that the concept has an autonomous meaning under EU law and repeated that it has previously ruled that Article 82(1) GDPR does not require that the damage suffered reaches a certain minimum threshold, as long as damages have been suffered. In casu, the Court ruled that \u2018although there is nothing to preclude the publication on the internet of personal data and the consequent loss of control over those data for a short period of time from causing the data subjects \u2018non-material damage\u2019, within the meaning of Article 82(1) of the GDPR, giving rise to a right to compensation, those persons must also demonstrate that they have actually suffered such damage, however minimal\u2019 and that this damage \u2018differs from the mere infringement of the provisions of that regulation.\u2019<\/p>\n<\/div>\n

 <\/p>\n

\n

– CJEU Rules on the Concepts of Controller and Processor –\u00a0<\/span><\/a><\/strong><\/span><\/p>\n

On 5th December, the CJEU ruled in the case of Nacionalinis visuomen\u0117s sveikatos centras. In essence, the case concerned a corona tracking app, which was developed by a company working on the instructions of a Lithuanian government body.<\/a> Whilst the app was put into operation and actually collected personal data \u2013 including sensitive personal data \u2013 the app was eventually never acquired by the Lithuanian government. Whilst the acquisition process was started, it was then subsequently terminated. The Lithuanian Data Protection Authority fined the government body for a violation of a number of GDPR provisions, as well as the company, as a joint controller. The government body objected and suggested that the company should be regarded as the sole controller, whilst the company argued that it was only acting as a processor. In this regard, a number of questions were referred to the CJEU, which the CJEU then bundled into four sets of considerations:<\/p>\n