What kind of personal data is normally being processed in the finance sector and how critical are the processings?

If the granting of a loan to a natural person is at issue, it is in the fundamental interest of the credit institution to ensure its own financial flexibility and deposit protection. In order to be able to grant even higher loans despite the risk of default, an individual risk assessment of the potential borrower is required.

In addition to the creditworthiness of the applicant, the applicant's reliability - i.e. the likelihood of misuse / fraud by the person - is also an important decision-making criterion for the credit institution. Data on creditworthiness and reliability are extremely sensitive, as they potentially allow the data subject to be stigmatized. It is therefore all the more important that the score values on which risk assessment is often based are calculated by means of scientifically reliable calculation methods. The financial institution either uses its own empirical values for scoring (so-called internal scoring) or tasks a credit agency with the (automated) generation and provision of score values (so-called external scoring). The negative or positive data on which the scoring is based are themselves often highly sensitive since they inform about the previous payment behavior of the potential borrower and - in the case of external scoring - are based on empirical values from a large number of so-called submitting companies.

Which privacy laws and provisions have to be respected in the finance sector?

Numerous sector-specific regulations - including those in the German Banking Act (KWG), the German Securities Trading Act (WpHG), and the German Money Laundering Act (GWG) - enable or require the creation of creditworthiness and / or reliability profiles. In some cases, it is specified in detail which individual data categories may / must be processed for which purpose and from which sources the data may be obtained. The respective regulations do not always aim at ensuring legitimate interests of the financial institution, but, as in the case of relevant provisions of the German Civil Code (BGB), at protecting the consumer from financial overload.

Which compliance risks must be considered and what has been the focus of supervisory authorities and courts?

If data in the financial sector is not processed in accordance with the law, this can have a strong personal impact on the lives of the persons concerned (e.g. borrowers). This would be the case, for example, if a person is refused a loan to buy a house due to a negative credit rating.

Against this backdrop, the processing of data in the financial sector has already been the subject of various statements by authorities and court judgements.