Credit Scoring as personal data processing in light of the GDPR. Analysis of its purpose and influence on the possible secondary uses of the data

Abstract

Under the principles of responsible lending enshrined in the Credit Agreements for Consumer Directive and the Credit Agreements for Residential Immovable Property Directive, financial institutions are obliged to assess the creditworthiness of applicants prior to granting credit. This will be carried out using statistical credit scoring models. This practice will entail the processing of personal data subject to the General Data Protection Regulation (GDPR), which will have to comply with the data protection principles it enshrines. Thus, the proper identification of the purpose of the data processing will be crucial, as it could project its effects on the enabling of possible secondary uses of the data by credit institutions, allowing them to broaden the spectrum of possible processing of these data. Finally, we will assess the public interest as a possible basis for legitimisation, the implications of the use of AI in practice and the further processing of pseudonymised data.