report-consumer-friendly-scoring
Dieses Dokument ist Teil der Anfrage „Gutachten des Sachverständigenrats für Verbraucherfragen“
Public knowledge and acceptance of scoring 107 2.1 Knowledge relating to the use of 2.2 Acceptance of data collection by in- variables in credit scoring vehicle telematics (Tables D.3 and D.4 People’s level of knowledge about credit scoring is as- above; Tables 3 and 4 in infas, 2018) sociated primarily with their age and whether they have The age of respondents as well as the size of the settle- obtained their Schufa credit score in the last five years. ment where they live in terms of population play a part The total number of correct answers given by respond- in acceptance of rural driving as a factor that counts to- ents who have requested their Schufa score in the last wards an advertised bonus in the form of a reduction in five years is slightly higher on average than the number the cost of insurance premiums. Among older people, of correct answers from those who have not asked for i. e. those aged 65 and over, the probability of approval their Schufa score during that time. Respondents in the of this input variable is higher than among people in the age brackets from 16 to 64 also average half a correct an- middle age bracket of 35 to 39 years. The probability of swer more than their counterparts aged 65 and over. As acceptance of rural driving as a positive input variable regards the individual input variables that are used for for policy pricing is also higher on average for people credit scoring, it emerges that the probability of a cor- who live in a town with a population of 20,000 to 100,000 rect answer regarding the variables ‘Current loan agree- than for people who live in a city with a population in ex- ment’, ‘Data from social networks’ and ‘Ethnic origin’ is cess of 100,000. Here there are signs of a knock-on effect higher among younger respondents, i. e. those in the within the group of people who live in towns, i. e. urban 16–34 and 35–49 age brackets, than among the respond- settlements with fewer than 100,000 inhabitants: the ents aged 65 and over. The probability of a correct an- smaller the town, the higher is the level of acceptance of swer to the question whether data from social networks schemes promising bonus points for rural driving. are used in assessing creditworthiness is also higher among respondents who have obtained their Schufa In addition, the findings show that the probability score in the past five years than among those who have of acceptance of speed as an input variable is higher not. Among respondents in the 16–34 age bracket the among younger respondents (16–34 years of age) com- probability of a correct answer to the question whether pared with those aged 65 and over when the question is ethnic origin features as an input variable in credit scor- framed with the focus on penalties. ing is higher than among their older counterparts in the 65+ age group. Overall, the findings indicate that respondents are most likely to know which variables are and are not used as in- puts in creditworthiness assessment if they themselves have made active efforts to obtain their personal credit record or if they belong to the age group that is most likely, for example, to go through the process of apply- ing for a mortgage and have to concern themselves with their credit score in that context. Since there was no ob- servable systematic correlation between general formal education and correct identification of the variables used by credit reference agencies, the relevant knowl- edge is evidently not sufficiently addressed through formal education. It therefore appears that it would be useful to impart specific knowledge of scoring – what we might call promoting scoring literacy – both in the formal education framework and by other means.
108 Public knowledge and acceptance of scoring
2.3 Potential uptake of telematics-based 2.4 Acceptance of telematics with
tariffs and combined telematics-based penalisation (Table 8 in infas, 2018)
tariffs (Tables D.6 and D.7 above; Table 7 in The recording of pace counts with automatic penalisation
infas, 2018) in the form of billing for a share of medical costs in the
With regard to in-vehicle telematics, it is apparent that event of insufficient exercise is more frequently approved
the potential uptake of such a tariff system is highly de- by people who take part in sporting activity more than
pendent on the context and the prospective consequenc- once a week than by those who are not so active and en-
es. Those to whom the telematics-based tariff has been gage in sporting activity once a week or less. This sug-
presented as a bonus scheme can more readily imagine gests that people who have no reason to expect personal
signing up for such a tariff than those to whom the po- penalisation on any particular grounds, such as lack of
tential penalties have been emphasised. This may mean exercise, are more inclined to accept a system that entails
that motor insurance tariffs based on telematics do not scoring-based penalisation on those grounds.
appeal to some groups of people unless the possibility of
a price saving exists. The framing of the telematics option Speed recording with automatic penalisation, namely
thus appears to play a considerable part in terms of the notification of speeding offences to the police, tends to
potential public uptake of offers based on scoring. be more acceptable to those who have no penalty points
on their licence in the national register at Flensburg than
What is being seen in the realm of health telematics is to those who do. To put it in more general terms, accept-
that people with an above-average internal locus of con- ance of scoring seems to be higher among people who
trol (“My future is in my own hands”; “If I try hard, I will have not come to the attention of the authorities for in-
succeed”) find it easier to imagine being on a telemat- fringements in the area in which they are being or will
ics-based health insurance tariff than those whose in- potentially be scored. We could therefore speculate that
ternal locus of control is below average. This means that people who already tend to drive carefully, for instance
those who believe they can control their own lives and by keeping to the speed limit and accelerating gently,
that their own actions will lead to success can more eas- and who are thus more likely to obtain bonuses, will
ily imagine themselves with a telematics-based health more readily accept a telematics-based motor insurance
insurance policy. tariff than those who do not match this description. This
type of scoring also meets with greater approval from re-
In addition, the most price-conscious consumers can spondents who mainly use public transport than those
most readily imagine themselves on a combined tariff, in whose main form of transport is a private car. These
other words a tariff in which they would pay lower motor findings show that this form of scoring is more widely
insurance premiums in return for making health-related approved by people who will presumably be less affect-
data available to the insurer. ed by it and by the associated sanctions.
Generally speaking, we can therefore say that the hy-
pothetical scores described here tend to be accepted
as long as the respondents themselves have little or
no reason to expect adverse consequences from such a
scoring system.
Public knowledge and acceptance of scoring 109
3.2 On knowledge of scoring and scoring
3. P
opulation survey findings: literacy
Across the whole spectrum of respondents, knowledge
general summary and about the use of attributes in credit scoring is moderate.
conclusions
The findings show in detail that the level of knowledge
about the attributes used in credit scoring depends
3.1 On the transparency and both on a person’s age and on whether he or she has
comprehensibility of scoring obtained a personal credit record in the past five years.
A majority of the respondents are against receiving no- Formal education alone plainly does not seem to have
tifications of their score, while the others (almost half of any significant influence in this respect. Besides foster-
all respondents) would like to be informed in principle, ing scoring-related knowledge, it would appear to be
albeit with variations in their preferred notification fre- beneficial to impart skills that are specific to scoring.
quency. Current practice could conceivably be adapted The use of personal credit records that are obtainable
by means of an opt-in arrangement so that automatic on request, for example, seems to be a useful and com-
notification of a score would be generated whenever paratively inexpensive means to this end. This resource
there was a major change in a consumer’s score which should be used expressly to give consumers important
would or might have implications for the consumer, for information in easily comprehensible terms about input
example if the change entailed an actual or potential variables and, where appropriate, their relative weight-
drop into the next lower category. ing so that they can engage in scoring processes in an
informed manner.
Acceptance rates for input variables, in other words wheth-
er a the use of particular variable in the calculation of mo-
tor or health insurance premiums is deemed to be justified, 3.3 On non-telematic options
also differ depending on whether the variable is presented On the whole, acceptance of the attributes proposed as
in connection with bonus or a penalty. To enable consum- input variables for the driving and health scoring sys-
ers to make informed decisions on their chances of gains tems we have presented is low. This suggests that the
and losses, it would be desirable for them to receive infor- majority of respondents are opposed to the inclusion of
mation from their insurers on average bonus amounts and, most of the behavioural and situational variables pre-
where relevant, on possible losses. sented above in new insurance tariffs, maybe not least
because some of them relate to sensitive areas such as
personal health.
110 Public knowledge and acceptance of scoring
The detailed findings show that, for some groups of peo- 3.4 On super scores
ple, acceptance of the collection of data on personal at- A large majority of the respondents reject any publica-
tributes and acceptance of telematics-based schemes in tion of scores that characterise them. This applies both
general are dependent on the extent to which they affect to publication on a voluntary basis and to a general pub-
these people and on their personal circumstances: lication requirement. The respondents also reject aggre-
gation of scores from various areas of people’s lives, in
• Public transport users support automatic some cases by a very large majority.
reporting to the police of motorists’ speed-limit
infringements. The greatest opposition is encountered by the idea of
monetary penalties for unhealthy lifestyles in the realm
• Those who engage in sporting activity anyway of health insurance and by the mooted creation of com-
tend to support telematics-based health posite scores covering every area of people’s lives.
insurance.
• Motorists who have penalty points on their
licence tend to be opposed to in-vehicle
telematics.
Although higher acceptance rates were recorded for
specific groups of people, acceptance of the collec-
tion of personal data as input variables for telemat-
ics-based insurance tariffs is, as a general rule, low.
What is more, partly because the factors that could
probably lead to higher acceptance cannot easily be
influenced by everyone, such as whether people use
public transport or enjoy unhindered physical mobility,
the preservation of non-telematic options in the range
of insurance policies would be welcome.
In terms of fairness it may also be regarded as problem-
atic that the range of scoring-based products involving
telematics meets with higher acceptance among people
who are highly price-conscious. Although it is essential-
ly gratifying when scoring enables consumers to obtain
cheaper insurance premiums, an implicit compulsion
to use telematics and hence to disclose personal data
simply to avoid financial predicaments would be very
undesirable from a consumer perspective. For these
reasons too, consideration should be given to offer-
ing consumers a permanently available non-telematic
(low-disclosure) option in order to guarantee genuine
freedom of choice.
The legal framework for scoring 111
E
The legal framework
for scoring
112 The legal framework for scoring
The SVRV defines scoring as the assignment of a numer- In the following sections we shall examine key interfaces
ical value to a person for the purpose of predicting or between scoring and the legal system. The initial focus
guiding that person’s behaviour. That numerical value will be on scoring as a data-processing operation, and
is normally determined by applying an algorithmic pro- then requirements for scoring in specific sectors will
cedure to a broad set of baseline data (see chapter A.I be described. This will necessarily be done by means
above). Although there are certainly legal provisions of examples, given the diversity of guises in which the
governing scoring defined in this way, these provisions concept of scoring appears. Following on from this de-
are scattered among a wide variety of legal instruments. scription, we shall discuss the potential of current law
There is no codified regulation of scoring, let alone a for resolving general scoring-related problems concern-
‘Scoring Act’. ing mathematical and statistical quality, transparency
and non-discrimination. We shall conclude with a brief
Thematically limited legal requirements for scores are look at supervisory structures that could be harnessed
derived from various sets of provisions. Depending on for the enforcement of more stringent requirements for
who undertakes scoring in the above sense and on the scoring (see the recommendations for action set out in
purpose for which it is done, who are being scored, on Part F below).
what aspect of their lives they are being scored and what
legal or practical implications the computed score will
have, various areas of the law and legal provisions are
applicable in determining whether particular scoring
operations are lawful. At this point it should be stated
for the avoidance of doubt that, while scoring is explic-
itly regulated in section 31 of the Federal Data Protec-
tion Act, which has influenced the understanding of the
term in the public debate, scoring within the meaning of
that provision covers only some aspects of the phenom-
enon under examination in this report (for details, see
section E.I.3 below). Scoring cuts across established le-
gal fields and has not yet been the subject of legislative
action as a specific phenomenon in need of regulation.
The legal framework for scoring 113
I. The basis in data
privacy law
Article 22 of the General Data Protection Regulation
(GDPR) and section 31 of the Federal Data Protection 1. P
rofiling
Act come closest to performing the function of a set of
rules for the regulation of scoring. Neither of these in-
(Article 4(4) GDPR)
struments covers scoring as defined in this report, at
least not in its entirety. The definition of profiling in the Article 4 of the GDPR defines numerous basic concepts
General Data Protection Regulation does not contribute in data privacy law in the form of a catalogue. Article 4(4)
to a targeted regulation of scoring, since it is not accom- GDPR contains a definition of profiling.
panied by a clear definition of legal consequences (see
section 1 below).
As a data-processing operation, scoring must, of course, Article 4 GDPR
satisfy the general requirements of data privacy legis-
lation. On the challenges that scoring poses to existing
Definitions.
conventions, namely the declaration of consent to the For the purposes of this Regulation:
use of personal data (see section B.VIII.2 above), the
principle that personal data may be used only for the (…)
purpose for which they were collected and the princi-
ple of data minimisation, see the SVRV working paper (4) ‘profiling’ means any form of automated
Verbraucher-Scoring aus Sicht des Datenschutzrechts processing of personal data consisting of the use
(Domurath and Neubeck, 2018), which supplements the of personal data to evaluate certain personal
present report. aspects relating to a natural person, in particular
to analyse or predict aspects concerning that
It is not yet possible to estimate what impact the prin- natural person’s performance at work, economic
ciples for the processing of personal data laid down in situation, health, personal preferences, interests,
Article 5(1) GDPR will have on scoring. Be that as it may, reliability, behaviour, location or movements;”
the potential of these principles to set standards (Fren-
zel, 2018, on Article 5 GDPR, points 55–56) cannot be dis-
missed as minimal from the outset, a fact highlighted, for 1.1 Profiling as an activity with no legal
example, by studies on the principle of fair data process- consequences
ing within the meaning of Article 5(1)(a) GDPR (Maxwell, Scoring as defined in this report fits comfortably under
2015; Hacker, 2017).81 the heading of profiling (Domurath and Neubeck, 2018;
Schild, 2018, on Article 4 GDPR, point 64; Martini, 2018,
on Article 22 GDPR, point 7). The only snag is that the
definition of profiling in the General Data Protection
Regulation remains inconsequential. The activity of pro-
filing does not have any particular legal consequences
(Veil, 2008, on Article 4(4) GDPR, point 1, and on Arti-
cle 22 GDPR, point 4).
81 In the widely discussed Google Spain judgment delivered by the Court of Justice of the European Union on 13 May 2014 – Case No C-131/12 [EU:C:2014:317] – the
Court deduced from Article 6(1)(c) to (e) of the Data Protection Directive (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on
the protection of individuals with regard to the processing of personal data and on the free movement of such data – the forerunner instrument to the General
Data Protection Regulation) – that it constitutes inadmissible processing if an internet search engine displays certain results in the context of a name search and so
establishes a ‘right to be forgotten’ (Schantz, 2018, on Article 5 GDPR, point 2).
114 The legal framework for scoring
Although the term ‘profiling’ recurs in several provisions of 1.2 Profiling as a weighting criterion
the General Data Protection Regulation,82 in each of those “The fact that profiling is nevertheless defined” – i. e. in
provisions the term could be omitted without altering the spite of its lack of legal consequences – in the General
regulatory scope of the provision (Veil, 2018, on Article 4(4) Data Protection Regulation “has a purely political signifi-
GDPR, points 3–4, and on Article 22 GDPR, point 53).83 cance and is intended to signal that the lawmakers at least
recognised the challenges associated with various forms
In addition, several recitals of the General Data Pro- of profiling” (Veil, 2018, Article 4(4) GDPR, point 1). On the
tection Regulation refer to profiling.84 Recitals are not basis of this “statement function” of a definition of profil-
“second-class law” but an integral part of the relevant ing, it also seems fair to assume that the presence of data
legislative act of the Union, a part for which the prima- processing in the form of profiling will have the effect of
ry law of the EU provides (see the second paragraph of placing a weight on the scale wherever a balance has to
Article 296 TFEU). Such recitals, however, do not estab- be struck between the interests of data processors and
lish any rights or obligations, so it would be misleading data subjects. In many places, the General Data Protection
to refer to this reference to profiling as a provision. Regulation regulates the admissibility of data-processing
operations and the conditions for the exercise of data sub-
The reason for this legal position is that it proved im- jects’ rights by means of general clauses (Buchner, 2017;
possible, in the legislative process for the General Data on the reasons for this regulatory model in data privacy
Protection Regulation, to reach agreement on the legal law, see Petersen, 2000, and Hoffmann-Riem, 1998).
consequences of profiling. At issue was not only what
the consequences of profiling activity should be (Veil, General clauses are particularly amenable to the incor-
2018, of Article 4(4) GDPR, points 9ff; cf. also WP 29, poration of numerous evaluation criteria that must be
2013), but also the preceding question as to which char- determined situationally and weighted. These clauses
acteristics and circumstances should be emphasised in require the reconciliation of conflicting interests and
order to give the profiling phenomenon some contours objectives of the common good but do not prescribe the
in the first place, to which various answers were put for- outcome of that reconciliation. General clauses there-
ward in the course of negotiations on the General Data fore guide the application of the law to a comparatively
Protection Regulation (Veil, 2018, on Article 4(4) GDPR, low degree. This applies to both the direction of data
points 5–6). It may be that the legislators’ decision not controllers (Article 4(7) GDPR), who seek to shape their
to attach any legal consequences to profiling was ulti- data-processing operations and structures in compli-
mately the key to the formal consensus reflected in Arti- ance with the law, and the programming of oversight ac-
cle 4(4) GDPR (SVRV, 2016). tivity on the part of supervisory authorities and courts,
which ultimately have to decide on the legality of such
data-processing arrangements.
If a data-processing operation is definable as profiling
within the meaning of Article 4(7) GDPR, it is legitimate
to lend considerable weight to the data subject’s need
for protection in a legally prescribed balancing of inter-
ests. This takes account of the need to protect the data
subject, which recital 71 of the General Data Protection
82 Siehe Art. 13 Abs. 2 Buchst. f; Art. 14 Abs. 2 Buchst. g; Art. 15 Abs. 1 Buchst. h; Art. 21 Abs. 1 Satz 1 Halbsatz 2, Abs. 2 Halbsatz 2; Art. 35 Abs. 3 Buchst. a; Art. 47 Abs. 2
Buchst. e; Art. 70 Abs. 1 Buchst. f DSGVO.
83 Soweit ersichtlich einzige Ausnahme: Der Europäische Datenschutzausschuss (Art. 68 ff. DSGVO) hat unter anderem die Aufgabe, Leitlinien usw. zur näheren
Bestimmung der Kriterien und Bedingungen für die auf Profiling beruhenden Entscheidungen gemäß Art. 22 Abs. 2 DSGVO bereitzustellen (Art. 70 Satz 2
Buchstabe f DSGVO); nicht jede der von Art. 22 Abs. 2 DSGVO erfassten automatisierten Einzelfallentscheidungen beruht aber auf Profiling-Vorgängen. Ein Grund
für die nach dem Textbefund der Vorschrift gegebene Einschränkung des Aufgabenbereichs des Ausschusses (die man nicht als Redaktionsversehen abtun kann,
s. EG 72 Satz 2 DSGVO) ist nicht erkennbar.
84 Siehe vor allem EG 71 DSGVO, weiter EG 60 Satz 3, EG 63 Satz 3, EG 70 Satz 1, EG 72 Satz 1 und 2, EG 91 Satz 2 DSGVO.
The legal framework for scoring 115
Regulation explicitly recognises, in the application of
the law. This may be illustrated by Article 6(1)(f) GDPR, 2. Automated individual
which states that processing is lawful if it “is necessary
for the purposes of the legitimate interests pursued by
decision-making
the controller or by a third party, except where such in- (Article 22 GDPR)
terests are overridden by the interests or fundamental
rights and freedoms of the data subject which require
protection of personal data”.
Article 22 GDPR
In the balancing of interests that is required by that
provision, considerable weight must be attached to
Automated individual deci-
the data subject’s interest in not having his or her data sion-making, including profiling
processed for profiling purposes (Buchner, 2018, on Ar-
(1) The data subject shall have the right not to be
ticle 4(4) GDPR, point 8).
subject to a decision based solely on auto-
mated processing, including profiling, which
produces legal effects concerning him or her or
1.3 Potential for the regulation of scoring
similarly significantly affects him or her.
by Article 4(4) GDPR
The conclusion to be drawn is that the definition of pro-
(2) Paragraph 1 shall not apply if the decision:
filing in Article 4(4) GDPR does not amount to a regula-
tion of that phenomenon but only lays emphasis on the
a) is necessary for entering into, or perfor-
social significance of that data-processing operation. A
mance of, a contract between the data
materially appropriate regulation of scoring cannot be
subject and a data controller;
built on that foundation. Although it is entirely possi-
ble for the Court of Justice of the European Union and
b) is authorised by Union or Member State law
national courts to set additional generalised standards
to which the controller is subject and which
supplementing the current legal rules, that is not a par-
also lays down suitable measures to safe-
ticularly realistic scenario, given the relatively scant in-
guard the data subject’s rights and freedoms
tervention of the judiciary so far to flesh out the provi-
and legitimate interests; or
sions of data privacy law.
c) i s based on the data subject’s explicit consent.
(3) In the cases referred to in points (a) and (c) of
paragraph 2, the data controller shall imple-
ment suitable measures to safeguard the data
subject’s rights and freedoms and legitimate
interests, at least the right to obtain human
intervention on the part of the controller, to
express his or her point of view and to contest
the decision.
(4) Decisions referred to in paragraph 2 shall not
be based on special categories of personal data
referred to in Article 9(1), unless point (a) or (g)
of Article 9(2) applies and suitable measures
to safeguard the data subject’s rights and free-
doms and legitimate interests are in place.
116 The legal framework for scoring
2.1 The structure and legal consequences of 2.2 The ‘decision’ as a key criterion in
the provision Article 22 GDPR
Article 22 GDPR lays down criteria for the legality of au- Article 22 GDPR cannot fulfil its potential for the regu-
tomated decisions in individual cases. The provision dis- lation of scoring unless scoring meets the condition of
plays an impressive legislative complexity: it identifies a being “a decision based solely on automatic process-
basic form of decision (paragraph 1), exceptions to that ing” which “produces legal effects” concerning the data
form (paragraph 2), then an exception to those excep- subject or “similarly significantly affects him or her”. In
tions (first clause of paragraph 4) and lastly an exception the following paragraphs we shall use the term ‘the de-
to the latter (second clause of paragraph 4). cision’ within the meaning of Article 22 GDPR to refer to
this phenomenon.
Paragraph 1 of the provision lays down the principle that
data subjects have a right not to be subject to a decision In which cases a ‘decision’ within the meaning of Ar-
if it produces legal effects concerning them or similarly ticle 22 GDPR is encountered is far from self-evident
affects them to a significant degree. Paragraph 2 pro- (Gesellschaft für Informatik, 2018). This uncertainty is
vides for three exceptions to this rule, permitting auto- well illustrated by the example of scoring itself. The as-
mated individual decisions if their purpose is the perfor- signment of number x to person P may be described as a
mance of a contract, if they are based on a law or if the decision by analogy with that of the judges at a gymnas-
data subject has given his or her consent. In section 37 tics competition or with marks awarded for schoolwork.
of the Federal Data Protection Act, the German legisla- If every assignment of this type, however, were regarded
ture created such a legal basis for further restriction of as a decision within the meaning of Article 22 GDPR, the
the data subject’s right. Paragraph 4 of Article 22 GDPR applicability of that provision would have to be virtually
restricts the trio of exceptions in certain cases in which ubiquitous. The character of the decision would forfeit
the automated decision is based on special categories of any distinctiveness and could no longer perform the
personal data, i. e. those referred to in Article 9(1) GDPR. function of narrowing down the definition of an unlaw-
If an automated individual decision is admissible under ful situation.
this set of rules, Article 22 GDPR makes an additional
stipulation that suitable measures must be laid down to By using the definitional element of a ‘decision’, Arti-
safeguard the data subject’s rights and freedoms and le- cle 22 GDPR distinguishes between interactions in which
gitimate interests (paragraphs 2(b), 3 and 4). one person takes a decision about or for another on the
one hand and structurally parallel interactions between
The GDPR establishes numerous consequences that apply a machine and a person on the other hand; only in the
in the event of an automated individual decision within latter case does the General Data Protection Regulation
the meaning of Article 22 GDPR (these are summarised in establish the special regime described above with Arti-
Veil, 2018, on Article 22 GDPR, points 16ff.). Among these cle 22 at its heart. The legislators, however, lacked a clear
consequences are specific information obligations pri- concept of what the problematic element of these ma-
or to the processing of data (Article 13(2)(f) GDPR where chine decisions they were regulating was actually meant
data have been collected from the data subject and Ar- to be (Dammann, 2016; Veil, 2018, on Article 22 GDPR,
ticle 14(2)(g) where data have been collected from oth- point 3), the element that was supposed to justify bring-
er persons) and information rights after data processing ing them under legislative control. Against this backdrop,
(Article 15(1)(h) GDPR); for more details see section E.III.1 the characterisation of the provision as the “expression
below. To these may be added “system- and process-relat- of a vague general disquiet” (Schulz, 2017, on Article 22
ed obligations” (Dreyer and Schulz, 2018, pp. 32ff.), which GDPR, point 2; see also section B.VII.2 above) about com-
include in particular the obligation to carry out a data puter-made decisions seems appropriate.
protection impact assessment (Article 35 GDPR), to enact
binding corporate rules (Article 47(2)(e)) and to designate The consequence of the lack of a “recognisable protec-
a data protection officer (Article 37 GDPR, taken in con- tive strategy” (Veil, 2018, on Article 22 GDPR, point 4)
junction with the second sentence of section 38(1) of the in the provision is that the scope and interpretation of
Federal Data Protection Act and Article 35 GDPR). the ‘decision’ criterion are uncertain. The uncertainty is
