The modern banking and credit industry rely heavily on the analysis of the customers' data. In fact, long before the advent of the GDPR the banks were allowed ex lege to process the necessary data in order to assess the risk of granting a loan to a particular business or a person. With the advent of new powerful data processing tools such as deep learning algorithms, AI the digital finance industry came to a point where the knowledge about the customer can be one of the main advantages in a run for a client. What is more, the incumbent banks are challenged by the rising force of digital world, the Internet giants who know about customers, behavior more than ever.

Automated decision-making under the GDPR

The GDPR put tight conditions on the so-called automated decision making (further as "ADM"), regardless of the industry in which it takes place. The ADM would be allowed in two scenarios: through consent given by a customer or if the ADM is explicitly allowed by the national laws. In the second scenario, the requirement towards such national laws would be that national legislation should ensure suitable measures to safeguard data subjects' rights and freedoms. As we all know, getting a customer's consent for the personal data processing in any process is quite a difficult task. This is why the Polish banking industry actively participated in the legislative process, which ended up in the broad possibility for the ADM, although with the safeguards embedded.

Profiling made available for all types of personal data 

The result of the changes to the Polish banking law authorizes the banking sector to freely decide what information concerning potential customer will be taken into account when making the decision. Only sensitive data, as required by GDPR, was excluded from this catalogue. This is contrary to the first draft of this legislation, which as proposed by the Ministry of Digitalization, limited the scope of data to the closed catalogue. 

The suitable measures to safeguard a data subject's rights were introduced by giving them the right to obtain information about the grounds of the decision, the right to human intervention when re-making the decision as well as the right to express its own opinion. At the final stage of the legislative procedure, it was decided that a data subject will not have the right to challenge the decision based on the automated processing, as it was proposed previously.

This is definitely a huge win for the whole banking industry because it allows it to keep the status quo when it comes to the decision making process.

Concerns on the right to information

Apart from the safeguards, which are necessary under GDPR, the new legislation gives consumers a new, awaited right, which is currently reserved only for the entrepreneurs.

Under new laws consumers will have the right to request information about reasoning of any credit decision, regardless of how, wholly or partly by automated means, the decision was made. The reasoning of the decision should include information about the factors, including the personal data, which were taken into account.

Therefore, the industry faces a difficult task when it comes to deciding what information and how should be disclosed in order to be compliant. A balance should be kept between allowing data subjects' to fulfill their rights and protecting the trade secrets and know-how of the banking industry.

The amendments to the banking law appears to be a win-win situation for both the business and the consumers. The amended laws do not enforce radical changes in the decision making process when it comes to assessing creditworthiness and credit risk. At the same time, consumers are given new, long-awaited rights ensuring protection of their rights and freedoms. There is also a third winner in this game, which are the technology vendors providing solutions in business intelligence area.

This article has been co-authored by Izabela Tarłowska (izabela.tarlowska@dentons.com) and Aleksandra Żebrowska (aleksandra.zebrowska@dentons.com).

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.