What every bank, insurer, and financial institution needs to know about the General Data Protection Regulation and artificial intelligence — from Article 22 automated decisions to Data Protection Impact Assessments.
The General Data Protection Regulation is the European Union's foundational data protection law, in effect since May 25, 2018. It applies to any organization (anywhere in the world) that processes personal data of residents in the EU or EEA, making it the world's most influential privacy framework. GDPR treats personal data as a fundamental right and places strict requirements on how organizations collect, store, use, and also protect that information.
Unlike earlier privacy laws that operated at national levels, GDPR created a unified standard across all EU member states, with significant enforcement teeth. Organizations that violate GDPR face fines of up to €20 million or 4% of global annual turnover, whichever is higher. This combination of broad geographic reach and serious penalties means that GDPR compliance is not optional for any bank, insurer, or financial service provider serving European customers; it is a regulatory imperative.
Virtually every AI system deployed in banking and insurance directly touches personal data. When a bank uses machine learning to score credit risk, it processes customers' financial histories, payment records, and behavioral patterns. When an insurer uses AI for underwriting, it analyzes health data, demographics, and claims history. Fraud detection systems analyze transaction patterns in real time. Marketing algorithms segment customers based on their financial habits. None of these applications can function without processing personal data.
GDPR was written before modern AI became prevalent in financial services, but its core principles apply directly to algorithmic decision-making. The regulation does not distinguish between a human analyst reviewing a loan application and an AI model scoring the same application. What matters to GDPR is what data you process, how you use it, what decisions you make with it, and what rights people have over those decisions. For financial institutions, this means every AI system must operate within the GDPR framework from initial design through final deployment.
Article 22 of GDPR is the most critical provision for AI in banking. It establishes a fundamental right: individuals have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects affecting them. In banking, this is not theoretical. Credit decisions, loan denials, insurance pricing determinations, and fraud investigations all produce legal effects. They directly affect whether someone gets a loan, how much they pay, or whether their account is frozen.
The rule is straightforward in principle but requires careful implementation. A bank cannot deploy a credit scoring AI and simply accept whatever the model outputs as the final decision. The decision cannot rest solely on automated processing. There must be human involvement: meaningful human involvement, not a rubber-stamp review. A December 2023 ruling by the Court of Justice of the European Union (CJEU) in the SCHUFA case clarified that credit scores themselves constitute automated decision-making under Article 22, even when they inform rather than directly determine outcomes. This expanded the scope significantly for financial institutions.
However, Article 22 does permit exceptions. Automated decision-making is allowed when the decision is necessary for contract performance (for example, processing a wire transfer a customer has explicitly requested), when it is authorized by law (regulatory requirements may allow certain automated determinations), or when the individual has given explicit, informed consent to the decision being made automatically. These exceptions are narrower than many banks assume. Even where they apply, safeguards remain mandatory: the right to human intervention, the right to express their views on the decision, and the right to challenge it.
What "meaningful human review" means has been a subject of active enforcement. Regulators and courts have made clear that the human review must actually engage with the AI's reasoning, must have the authority to override it, and must not be perfunctory. A compliance officer glancing at a model output for 30 seconds does not satisfy Article 22. The human reviewer must understand the basis for the AI's decision and must be capable of exercising independent judgment based on that understanding.
Beyond Article 22, several GDPR provisions create a compliance framework for any AI system processing personal data in financial services. First is the requirement for a lawful basis. Organizations cannot simply collect and use personal data because they have technical capability. GDPR requires one of six lawful bases: consent, contract, legal obligation, vital interests, public task, or legitimate interest. For most banking AI, legitimate interest is the legal basis: a bank has a legitimate interest in assessing credit risk or detecting fraud. However, legitimate interest is not a blank check. It requires a three-part test: the organization's interest must be legitimate, the processing must be necessary to achieve that interest, and the organization's interest must not be overridden by the individual's fundamental rights and freedoms. This balancing test creates real constraints on how actively AI can be deployed.
Transparency is another foundational requirement. Organizations must tell people when AI is being used and provide meaningful information about the logic, significance, and consequences of the processing. This does not mean revealing proprietary model code or training data but does mean explaining in plain language how the AI works and what factors drive its decisions. A customer denied a loan has the right to know that an AI system made the determination and to understand the main factors behind it. Financial institutions often worry that transparency requirements will expose trade secrets. GDPR does not require that. A bank can explain that "your credit score reflects your payment history, the length of your credit history, and recent account inquiries" without disclosing the exact model weights or other training techniques.
Data Protection Impact Assessments (DPIAs) are mandatory before deploying any high-risk AI system. A DPIA is a structured analysis of how the system processes data, what risks it creates, and what safeguards are in place. For a bank developing a new AI-driven credit scoring system, a DPIA must examine questions such as whether the model might discriminate against certain groups, what happens if the model fails, how data quality issues could propagate through decisions, and whether individuals have adequate rights and ability to seek recourse. Regulators have made clear that a DPIA cannot be a checkbox exercise: it must be a genuine risk assessment that may lead to decisions to modify, delay, or reject AI deployments.
Data quality and accuracy are explicit GDPR obligations. Personal data must be accurate and kept up to date. For AI systems, this creates a specific challenge: if the training data is outdated, biased, or incomplete, the model will learn those flaws and perpetuate them. A bank using historical lending data to train a credit model must account for the fact that historical lending may reflect past discrimination. If the training data is biased toward denying credit to certain demographic groups, the AI will learn that bias. GDPR does not explicitly prohibit this (discrimination law does), but GDPR requires accuracy, and a systematically biased model is, in a real sense, inaccurate.
Privacy by design and by default is a requirement, not a suggestion. This means building data protection into AI systems from the beginning, not adding it after deployment. For a financial institution, this translates to principles like data minimization (collect only the data actually needed for the credit decision, not every piece of personal information available), purpose limitation (use data only for the stated purpose, not for other marketing or profiling), and storage limitation (delete data once the purpose is fulfilled). An AI system that collects extensive personal data, stores it indefinitely, and uses it for purposes beyond the original one will struggle to achieve GDPR compliance regardless of other measures.
Finally, the right to explanation: individuals can request an explanation for a decision affecting them made by an AI system. Organizations cannot hide behind algorithm complexity or claim that trade secret protections prevent disclosure. The explanation must be meaningful and understandable to a non-technical person. This right has been consistently upheld by EU regulators and courts, including the ICO guidance and the CJEU SCHUFA ruling, which confirmed that trade secret protections do not override Article 22 rights.
The EU AI Act, which came into force in phases starting in 2024, creates a parallel compliance regime specifically for AI systems. Financial institutions now face not one but two major regulatory frameworks. The good news is that these frameworks are designed to work together, not against each other. However, compliance requires an integrated approach.
Approximately 87% of high-risk AI systems regulated under the EU AI Act involve processing of personal data and therefore trigger GDPR as well. A bank's AI-driven credit scoring system is high-risk under the AI Act and subject to GDPR. An insurance underwriting AI is high-risk under the AI Act and subject to GDPR. Both regulations apply to the same system, and both have requirements for transparency, human oversight, and documentation.
The overlap creates an opportunity for efficiency. A single Data Protection Impact Assessment can be structured to address both GDPR and AI Act compliance requirements. When conducting conformity assessments under the AI Act, organizations must include a statement confirming GDPR compliance. Rather than maintaining separate compliance programs, financial institutions should develop an integrated governance architecture that satisfies both frameworks simultaneously. This approach reduces redundancy and creates a more coherent risk management structure.
Regulators take GDPR violations seriously, and financial services has been a particular focus. By January 2025, GDPR fines had reached approximately €5.88 billion globally. Fines in financial services are typically at the higher end of the spectrum because banks and insurance companies are regulated entities with heightened duty of care.
Several enforcement actions illustrate the specific risks AI creates. The Hamburg Commissioner for Data Protection fined a financial services provider €492,000 for automated credit card rejections made without meaningful human review. The customer had been rejected by an AI system, had no meaningful opportunity to be heard, and had no practical recourse. The Berlin Commissioner for Data Protection imposed a similar €300,000 fine for a bank's failure to provide human oversight of automated account decisions. Spain's AEPD imposed a €3 million fine against a company for unlawful commercial profiling using personal data. These are not edge cases or novel interpretations: they reflect consistent enforcement of core GDPR principles.
The CJEU SCHUFA ruling in December 2023 was a landmark decision that expanded enforcement risk. Credit scoring company SCHUFA had argued that its scoring system did not constitute an "automated decision" under Article 22 because scores informed decisions rather than making them directly. The CJEU rejected this argument, holding that Article 22 applies to scores that have legal or similarly significant effects, even when they are one input among several. This decision significantly broadened the scope of Article 22 obligations for financial institutions and credit reporting agencies.
The practical implication is clear: every AI system that touches customer data needs a lawful basis, transparency measures, and human oversight capability. Banks cannot deploy "black box" credit models that produce decisions with no explanation and no meaningful opportunity for human review. The business case for such systems, while superficially appealing (faster decisions, lower costs), does not survive close GDPR scrutiny.
The documentation burden is substantial. DPIAs, impact assessments, records of processing, evidence of transparency measures, and audit trails of human decisions create administrative overhead. However, this burden should not be viewed as compliance cost alone. The documentation also creates an audit trail that demonstrates due diligence to regulators, helps prevent discriminatory outcomes from going undetected, and provides a foundation for understanding and improving AI systems over time. Financial institutions already maintain extensive documentation for other regulatory regimes (anti-money laundering, know-your-customer, etc.). GDPR documentation is a natural extension.
GDPR compliance is also a prerequisite for EU AI Act compliance, not an alternative. Banks cannot achieve AI Act conformity without addressing GDPR. The integrated framework means that investment in GDPR governance strengthens the entire AI governance architecture.
Corvair's governance architecture is designed to embed GDPR compliance into AI system design from the outset. Rather than treating compliance as a post-deployment requirement, Corvair integrates data protection impact assessments, transparency requirements, and human oversight mechanisms structurally into AI governance. This approach ensures that GDPR obligations are satisfied not through administrative workarounds but through sound system design, reducing both compliance risk and the risk of unintended harms from AI systems.
Schedule a BriefingThe European Union's comprehensive risk-based framework for artificial intelligence systems, directly applicable to high-risk AI in banking and financial services.
Read guideSingapore's Personal Data Protection Act governs AI and data processing by financial institutions, intersecting closely with the MAS AIRG framework.
Read guideThe Digital Operational Resilience Act imposes ICT risk management and third-party oversight obligations on EU financial institutions, intersecting with GDPR compliance.
Read guide