GDPR Art. 22 post-SCHUFA: when automated suspensions become unlawful

In Case C-634/21, on 7 December 2023, the ECJ ruled that the automated calculation of a risk score is itself a decision within the meaning of GDPR Art. 22 - not only the subsequent follow-up action.

The key sentence: a decision is 'automated' even when a human is formally involved but in fact relies on the machine output without an independent check. Rubber-stamping remains automated under the norm.

Applied to platform suspensions: a mod who 'confirms' an anti-cheat suspicion without independently verifying the facts does not create a human decision. The suspension stays within the scope of GDPR Art. 22.

GDPR Art. 22 applies only to decisions with 'legal effects' or 'significantly affecting' the data subject. Platform suspensions are often argued not to qualify - it's just the loss of an 'add-on service'.

That argument no longer holds. With professional creator accounts (Twitch, YouTube), seller accounts (Amazon, eBay), payment services (PayPal), and substantial digital content (CS2 inventory, Fortnite skins, Steam library), the economic and personal impact is significant.

The threshold is much lower than often assumed: even a consistently used social media account with built-up reach exceeds it - the German Federal Court's Facebook ruling (III ZR 179/20) implicitly recognised this back in 2021.

EasyAntiCheat (Epic), Vanguard (Riot), VAC (Valve), BattleEye - all make suspension decisions without structured human review. Their outputs are usually implemented directly: account permanently banned, no hearing.

That's unlawful under GDPR Art. 22. Even with actual cheating, a permanent ban without human review would be procedurally flawed - the protection applies independently of substantive merits.

In practice we request anti-cheat logs under GDPR Art. 15 and reveal that the decision was purely heuristic (i.e., speculative). The suspension is thus regularly challengeable - and platforms know it.

GDPR Art. 82 grants damages also for non-material harm. The ECJ clarified in C-300/21 (Österreichische Post) that no 'threshold of seriousness' is required - any concretely demonstrable damage is recoverable.

For unlawful account suspensions, three damage categories are typical: time spent on reinstatement; personal frustration and stress (burden); and concrete economic damages (lost items, lost revenue).

Typical magnitudes: €500-3,000 for plain suspension with moderate effort; €3,000-15,000 for substantial economic effects. Large cases with 6-figure consequential damages open the frame accordingly.