Image result for data subject
image from https://www.slideshare.net/AurliePols/the-data-subject-first-decoding-the-gdpr-at-stratadata

The Data Protection Act provides various  rights of a data subject that apply to both actual and potential customers and employees. These include the right to:

  • be informed of the use to which their personal data is to be put; 
  • access their personal data in custody of any business/company; 
  • object to the processing of all or part of their personal data;
  • correction of false or misleading data;
  • deletion of false or misleading data about them; and 
  • The right not to be subject to a decision based solely on automated processing. 

Automated individual decision making

Every business customer and employee has a right not to be subject to a decision based solely on automated processing such as profiling, which produces legal effects affecting them. Automated decision making may however be pursued with the consent of the affected customer/employee or pursuant to any written law to which a business is subject for example some types of profiling by credit reference bureaus and financial institutions.  

Where a business takes a decision which produces legal effects or significantly affects a customer or employee based solely on automated processing: 

  • the business must, as soon as reasonably practicable, notify the affected customers in writing that a decision has been taken based solely on automated processing; and 
  • the customer may, after a reasonable period of receipt of the notification, request the business to— (i) reconsider the decision; or (ii) take a new decision that is not based solely on automated processing. This provides for human intervention at all levels of decision making within a business. 

In the case of financial institutions this would apply to cases such as loan limits for mobile lending or access to credit.