Dun & Bradstreet Austria (Protection of personal data - Automated decision-making, including profiling – Scoring – Assessment of the creditworthiness of a natural person - Judgment) [2025] EUECJ C-203/22 (27 February 2025)
Court of Justice of the European Communities (including Court of First Instance Decisions)
You are here:BAILII >>
Databases >>
Court of Justice of the European Communities (including Court of First Instance Decisions) >>
Dun & Bradstreet Austria (Protection of personal data - Automated decision-making, including profiling – Scoring – Assessment of the creditworthiness of a natural person - Judgment) [2025] EUECJ C-203/22 (27 February 2025)
URL: http://www.bailii.org/eu/cases/EUECJ/2025/C20322.html Cite as:
ECLI:EU:C:2025:117,
[2025] EUECJ C-203/22,
EU:C:2025:117
( Reference for a preliminary ruling – Protection of personal data – Regulation (EU) 2016/679 – Paragraph 15(1)(h) – Automated decision-making, including profiling – Scoring – Assessment of the creditworthiness of a natural person – Access to meaningful information about the logic involved in profiling – Verification of the accuracy of the information provided – Directive (EU) 2016/943 – Point 1 of Article 2 – Trade secret – Personal data of third parties )
In Case C‑203/22,
REQUEST for a preliminary ruling under Article 267 TFEU from the Verwaltungsgericht Wien (Administrative Court, Vienna, Austria), made by decision of 11 February 2022, received at the Court on 16 March 2022, in the proceedings
CK
v
Magistrat der Stadt Wien
other party:
Dun & Bradstreet Austria GmbH,
THE COURT (First Chamber),
composed of K. Lenaerts, President of the Court, acting as President of the First Chamber, T. von Danwitz (Rapporteur), Vice-President of the Court, A. Kumin, N. Jääskinen and I. Ziemele, Judges,
Advocate General: J. Richard de la Tour,
Registrar: A. Calot Escobar,
having regard to the written procedure,
after considering the observations submitted on behalf of:
– CK, by C. Wirthensohn, Rechtsanwalt,
– Dun & Bradstreet Austria GmbH, by D. Cooper, Solicitor, A.-S. Oberschelp de Meneses, avocate, K. Van Quathem and B. Van Vooren, advocaten,
– the Spanish Government, by A. Ballesteros Panizo, acting as Agent,
– the Netherlands Government, by M.K. Bulterman and C.S. Schillemans, acting as Agents,
– the Polish Government, by B. Majczyna, acting as Agent,
– the European Commission, by A. Bouchagiar, F. Erlbacher and H. Kranenborg, acting as Agents,
after hearing the Opinion of the Advocate General at the sitting on 12 September 2024,
gives the following
Judgment
1 This request for a preliminary ruling concerns the interpretation, first, of Article 15(1)(h) and Article 22 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1; ‘the GDPR’), and, second, of point 1 of Article 2 of Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure (OJ 2016 L 157, p. 1).
2 The request has been made in the proceedings between CK and the Magistrat der Stadt Wien (City Council of Vienna, Austria) concerning the enforcement of a court order requiring Bisnode Austria GmbH, now Dun & Bradstreet Austria GmbH (‘D & B’), an undertaking specialising in the provision of credit assessments, to provide CK with meaningful information about the logic involved in profiling relating to her personal data.
Legal context
European Union law
The GDPR
3 Recitals 4, 11, 58, 63 and 71 of the GDPR state:
‘(4) The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the [Charter of Fundamental Rights of the European Union (“the Charter”)] as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.
…
(11) Effective protection of personal data throughout the [European] Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for infringements in the Member States.
…
(58) The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. …
…
(63) A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. … That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject. …
…
(71) The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention. Such processing includes “profiling” that consists of any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her. … In any case, such processing should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision. …’
4 Article 4 of that regulation, entitled ‘Definitions’, provides, in point 4:
‘For the purposes of this Regulation:
…
(4) “profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements’.
5 Article 12 of the GDPR, entitled ‘Transparent information, communication and modalities for the exercise of the rights of the data subject’, provides, in paragraph 1:
‘The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. …’
6 Article 13 of that regulation, which concerns the information to be provided where personal data are collected from the data subject, and Article 14 thereof, which concerns the information to be provided where personal data have not been obtained from the data subject, provide, in paragraphs 2(f) and 2(g), respectively, that the controller, to ensure fair and transparent processing in respect of the data subject, must provide the data subject with, inter alia, information as to ‘the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject’.
7 Article 15 of the GDPR, entitled ‘Right of access by the data subject’, is worded as follows:
‘1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
…
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
…
3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.’
8 Article 22 of that regulation, entitled ‘Automated individual decision-making, including profiling’, provides:
‘1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
2. Paragraph 1 shall not apply if the decision:
(a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
(b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
(c) is based on the data subject’s explicit consent.
3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.’
9 As set out in Article 23 of the GDPR, headed ‘Restrictions’:
‘1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
…
(i) the protection of the data subject or the rights and freedoms of others;
…
2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:
(a) the purposes of the processing or categories of processing;
(b) the categories of personal data;
(c) the scope of the restrictions introduced;
(d) the safeguards to prevent abuse or unlawful access or transfer;
(e) the specification of the controller or categories of controllers;
(f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;
(g) the risks to the rights and freedoms of data subjects; and
(h) the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.’
10 Article 54 of that regulation, entitled ‘Rules on the establishment of the supervisory authority’, provides, in paragraph 2:
‘The member or members and the staff of each supervisory authority shall, in accordance with Union or Member State law, be subject to a duty of professional secrecy both during and after their term of office, with regard to any confidential information which has come to their knowledge in the course of the performance of their tasks or exercise of their powers. During their term of office, that duty of professional secrecy shall in particular apply to reporting by natural persons of infringements of this Regulation.’
11 Article 58 of the GDPR, headed ‘Powers’, provides, in paragraph 1(e):
‘Each supervisory authority shall have all of the following investigative powers:
(e) to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks’.
‘… this Directive should not affect the rights and obligations laid down in Directive 95/46/EC [of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31)], in particular the rights of the data subject to access his or her personal data being processed and to obtain the rectification, erasure or blocking of the data where it is incomplete or inaccurate …’
13 Point 1 of Article 2 of that directive provides:
‘For the purposes of this Directive, the following definitions apply:
(1) “trade secret” means information which meets all of the following requirements:
(a) it is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question;
(b) it has commercial value because it is secret;
(c) it has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret’.
14 Article 9 of the directive, entitled ‘Preservation of confidentiality of trade secrets in the course of legal proceedings’, provides:
‘1. Member States shall ensure that the parties, their lawyers or other representatives, court officials, witnesses, experts and any other person participating in legal proceedings relating to the unlawful acquisition, use or disclosure of a trade secret, or who has access to documents which form part of those legal proceedings, are not permitted to use or disclose any trade secret or alleged trade secret which the competent judicial authorities have, in response to a duly reasoned application by an interested party, identified as confidential and of which they have become aware as a result of such participation or access. In that regard, Member States may also allow competent judicial authorities to act on their own initiative.
The obligation referred to in the first subparagraph shall remain in force after the legal proceedings have ended. However, such obligation shall cease to exist in any of the following circumstances:
(a) where the alleged trade secret is found, by a final decision, not to meet the requirements set out in point 1 of Article 2; or
(b) where[,] over time, the information in question becomes generally known among or readily accessible to persons within the circles that normally deal with that kind of information.
2. Member States shall also ensure that the competent judicial authorities may, on a duly reasoned application by a party, take specific measures necessary to preserve the confidentiality of any trade secret or alleged trade secret used or referred to in the course of legal proceedings relating to the unlawful acquisition, use or disclosure of a trade secret. Member States may also allow competent judicial authorities to take such measures on their own initiative.
The measures referred to in the first subparagraph shall at least include the possibility:
(a) of restricting access to any document containing trade secrets or alleged trade secrets submitted by the parties or third parties, in whole or in part, to a limited number of persons;
(b) of restricting access to hearings, when trade secrets or alleged trade secrets may be disclosed, and the corresponding record or transcript of those hearings to a limited number of persons;
(c) of making available to any person other than those comprised in the limited number of persons referred to in points (a) and (b) a non-confidential version of any judicial decision, in which the passages containing trade secrets have been removed or redacted.
The number of persons referred to in points (a) and (b) of the second subparagraph shall be no greater than necessary in order to ensure compliance with the right of the parties to the legal proceedings to an effective remedy and to a fair trial, and shall include, at least, one natural person from each party and the respective lawyers or other representatives of those parties to the legal proceedings.
3. When deciding on the measures referred to in paragraph 2 and assessing their proportionality, the competent judicial authorities shall take into account the need to ensure the right to an effective remedy and to a fair trial, the legitimate interests of the parties and, where appropriate, of third parties, and any potential harm for either of the parties, and, where appropriate, for third parties, resulting from the granting or rejection of such measures.
4. Any processing of personal data pursuant to paragraphs 1, 2 or 3 shall be carried out in accordance with [Directive 95/46].’
Austrian law
15 Paragraph 4(6) of the Datenschutzgesetz (Law on Data Protection) of 17 August 1999 (BGBl. I, 165/1999), in its version applicable to the main proceedings (‘the DSG’), precludes, as a rule, the data subject from having access to his or her personal data, provided for in Article 15 of the GDPR, where such access would compromise a business or trade secret of the controller or of a third party.
The dispute in the main proceedings and the questions referred for a preliminary ruling
16 CK was refused, by a mobile telephone operator, the conclusion or extension of a mobile telephone contract which would have required a monthly payment of EUR 10 on the ground that, according to an automated credit assessment, carried out by D & B, she did not have sufficient financial creditworthiness.
17 CK brought the matter before the Austrian data protection authority, which ordered D & B to disclose to CK meaningful information about the logic involved in the automated decision-making based on personal data concerning CK.
18 D & B brought an action against that decision before the Bundesverwaltungsgericht (Federal Administrative Court, Austria), claiming, in essence, that, due to a protected trade secret, it did not have to disclose to CK any information in addition to the information that had already been provided to her.
19 By decision of 23 October 2019 (‘the decision of 23 October 2019’), that court found that D & B had infringed Article 15(1)(h) of the GDPR by failing to provide CK with meaningful information about the logic involved in the automated decision-making based on personal data concerning CK, or, at the very least, by failing to give a sufficient statement of reasons as to why it was unable to provide that information.
20 In particular, in that decision, the Bundesverwaltungsgericht (Federal Administrative Court) noted that D & B had not provided CK with sufficient explanations to enable her to understand how the prognosis on the probability of her future behaviour (‘score’) had been established in relation to her, which that undertaking communicated to CK, stating that, with a view to obtaining that ‘score’, certain socio-demographic data concerning CK had been ‘given equal weighting’.
21 The decision of 23 October 2019 has become final and is enforceable under Austrian law. However, CK’s application for enforcement of that decision, lodged by CK with the City Council of Vienna, which is the enforcing authority, was rejected on the ground that D & B had met, to the requisite standard, its obligation to provide information, even though that company had not provided any additional information after that decision was adopted.
22 CK brought an action against the decision of the City Council of Vienna before the Verwaltungsgericht Wien (Administrative Court, Vienna, Austria), which is the referring court, seeking enforcement of the decision of 23 October 2019.
23 The referring court takes the view that, under Austrian law, it is required to have that decision enforced, which would mean having to determine the specific acts that D & B is required to carry out pursuant to that decision.
24 Taking the view that that determination can only be made by an expert with the requisite expertise, the referring court appointed an expert who took the view that D & B was required to provide the following minimum information in order to meet its obligations with respect to CK:
– the personal data concerning CK which have been processed in order to formulate a ‘factor’ (date of birth, address, sex, etc.);
– the mathematical formula on which the calculation that led to the score at issue in the main proceedings is based;
– the specific value attributed to CK for each of the factors concerned; and
– the precise intervals within which the same value is attributed to different data for the same factor (interval or discrete evaluation or index/land-register-based evaluation).
25 In order to ensure that, after it has been provided, the accuracy of that minimum information can be verified by CK, D & B should also provide a list of scoring for the period covering the six months preceding and the six months following the establishment of CK’s score, as obtained using the same calculation rule.
26 According to the referring court, only the disclosure of the minimum information specified by that expert would enable the consistency and accuracy of the information provided by a controller under Article 15(1)(h) of the GDPR to be verified.
27 In the present case, there are a number of clear indications that the information provided by D & B is contrary to the facts. While the information provided to CK, including, inter alia, the score obtained, showed CK to have very good credit standing, the actual profiling led to her being regarded as not creditworthy, including as regards the capacity to pay the amount of EUR 10 per month under a mobile telephone contract.
28 In the referring court’s view, the question therefore arises whether Article 15(1)(h) of the GDPR guarantees the data subject the possibility to verify the accuracy of the information provided by the controller.
29 In the event that Article 15(1)(h) of the GDPR does not guarantee this, the right of access to the data subject’s personal data and other information provided for therein would be rendered meaningless and useless, especially since each controller could in that case be able to provide incorrect information.
30 According to the referring court, the question also arises whether and, if so, to what extent the exception based on the existence of a trade secret is capable of restricting that right of access guaranteed by the combined provisions of Article 15(1)(h) and Article 22 of the GDPR.
31 In the light of the rules laid down in Article 9 of Directive 2016/943, it is necessary to assess whether it is conceivable that information classified as a ‘trade secret’ within the meaning of point 1 of Article 2 of that directive may be disclosed only to the authority or court seised in order for that authority or court to verify independently whether it must be found that there is in fact such a trade secret and whether that information provided by the controller, for the purposes of Article 15(1) of the GDPR, corresponds to the reality of the situation at issue.
32 Lastly, the referring court takes the view that it is necessary to examine whether a provision such as Paragraph 4(6) of the DSG, which excludes, as a rule, the data subject’s right of access, provided for in Article 15 of the GDPR, where such access would compromise a business or trade secret of the controller or of a third party, may be regarded as consistent with the combined provisions of Article 15(1) and Article 22(3) of the GDPR.
33 In those circumstances, the Verwaltungsgericht Wien (Administrative Court, Vienna) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) What requirements as to content does information provided need to satisfy in order to be regarded as sufficiently “meaningful” within the meaning of Article 15(1)(h) of [the GDPR]?
In the case of profiling, must the information essential for making the result of the automated decision transparent in each individual case also be disclosed by the controller – where necessary in compliance with an existing trade secret – as part of the disclosure of the “logic involved” which includes, in particular, (1) the disclosure of the data subject’s processed data, (2) the disclosure of the parts of the algorithm on which the profiling is based that are necessary to provide transparency, and (3) the information relevant to establishing the connection between the processed information and the rating arrived at?
In cases involving profiling, must the party entitled to access for the purpose of Article 15(1)(h) of the GDPR be provided, as a minimum, with the following information on the specific processing concerning him or her, even if a trade secret is involved, in order to enable him or her to protect his or her rights under Article 22(3) of the GDPR:
(a) [the] communication of all potentially pseudo-anonymised information, in particular on the manner in which the data subject’s data is being processed, which allows the data subject to check compliance with the GDPR,
(b) … the input data used for profiling,
(c) the parameters and input variables used in the determination of the rating,
(d) the influence of these parameters and input variables on the calculated rating,
(e) information on the origin of the parameters or input variables,
(f) an explanation as to why the party entitled to access for the purpose of Article 15(1)(h) of the GDPR has been assigned a specific rating and clarification of the implications of such rating,
(g) [the] listing [of] the profile categories and [the] explanation as to what rating implication is associated with each of the profile categories?
(2) Is the right of access granted by Article 15(1)(h) of the GDPR related to the rights guaranteed by Article 22(3) of the GDPR to express one’s point of view and to challenge an automated decision taken within the meaning of Article 22 of the GDPR in so far as the scope of the information to be provided on the basis of an access request within the meaning of Article 15(1)(h) of the GDPR is only sufficiently “meaningful” if the party requesting access and the data subject for the purpose of Article 15(1)(h) of the GDPR is enabled to exercise the rights guaranteed by Article 22(3) of the GDPR to express his or her own point of view and to challenge the automated decision for the purpose of Article 22 of the GDPR concerning him or her in a real, profound and promising way?
(3) (a) Must Article 15(1)(h) of the GDPR be interpreted as meaning that information constitutes “meaningful information” for the purposes of this provision only if it is so broad that the party entitled to access for the purpose of Article 15(1)(h) of the GDPR is able to determine whether this information is accurate, i.e. whether the automatic decision specifically requested was actually based on the information provided?
(b) If the above question is answered in the affirmative: what is the procedure if the accuracy of the information provided by a controller can only be verified if third-party data protected by the GDPR must also be brought to the attention of the party entitled to access for the purpose of Article 15(1)(h) of the GDPR (black box)?
Can this tension between the right of access within the meaning of Article 15(1) of the GDPR and the data protection rights of third parties also be resolved by disclosing the data of third parties (which have also been subjected to the same profiling process) required for the accuracy check only to the authority or the court for the authority or the court to check independently whether the disclosed data of these third parties is accurate?
(c) If the above question is answered in the affirmative: which rights must be granted to the party entitled to access for the purpose of Article 15(1)(h) of the GDPR in the event that it is necessary to ensure the protection of third party rights within the meaning of Article 15(4) of the GDPR by creating the black box referred to in [Question 3(b)]?
Must the data of other persons to be disclosed by the controller for the purpose of Article 15(1) of the GDPR to the party entitled to access for the purpose of Article 15(1)(h) of the GDPR be disclosed in pseudo-anonymised form in order to ensure that the accuracy can be verified?
(4) (a) What is the procedure if the information to be provided in accordance with Article 15(1)(h) of the GDPR also meets the requirements of a trade secret within the meaning of [point 1 of Article 2 of Directive 2016/943]?
Can the tension between the right of access guaranteed by Article 15(1)(h) of the GDPR and the right to non-disclosure of a trade secret protected by [Directive 2016/943] be resolved by allowing the information to be disclosed as a trade secret within the meaning of [point 1 of Article 2 of Directive 2016/943] be disclosed to the authority or the court only, so that the authority or the court must independently verify whether it must be assumed that a trade secret within the meaning of [point 1 of Article 2 of Directive 2016/943] exists and whether the information provided by the controller within the meaning of Article 15(1) of the GDPR is accurate?
(b) If the above question is answered in the affirmative: which rights must be granted to the party entitled to access for the purpose of Article 15(1)(h) of the GDPR in the event that it is necessary to ensure the protection of third party rights within the meaning of Article 15(4) of the GDPR by creating the black box referred to in [Question 4(a)]?
In [the] case of discrepancy between the information to be disclosed to the authority or the court and the information to be disclosed to the person entitled to access within the meaning of Article 15(1)(h) of the GDPR, in cases involving profiling, must the party entitled to access for the purpose of Article 15(1)(h) of the GDPR also be provided, as a minimum, with the following information on the specific processing concerning him or her in order to enable him or her to protect his or her rights under Article 22(3) of the GDPR in their entirety:
– [the] communication of all potentially pseudo-anonymised information, in particular on the manner in which the data subject’s data is being processed, which allows the data subject to check compliance with the GDPR,
– … the input data used for profiling,
– the parameters and input variables used in the determination of the rating,
– the influence of these parameters and input variables on the calculated rating,
– information on the origin of the parameters or input variables,
– an explanation as to why the party entitled to access for the purpose of Article 15(1)(h) of the GDPR has been assigned a specific rating and clarification of the implications of such rating,
– [the] listing [of] the profile categories and [the] explanation as to what rating implication is associated with each of the profile categories?
(5) Does the provision of Article 15(4) of the GDPR in any way limit the scope of the information to be provided pursuant to Article 15(1)(h) of the GDPR?
If this question is answered in the affirmative, is this right of access limited by Article 15(4) of the GDPR, and how is the extent of the limitation to be determined in each individual case?
(6) Is the provision of [Paragraph] 4(6) of the [DSG], according to which “the right of access of the data subject pursuant to Article 15 of the GDPR, as a rule, does not [exist] vis-à-vis the controller if the provision of such information would violate a business or trade secret of the controller or third parties” compatible with the requirements of Article 15(1) in conjunction with Article 22(3) of the GDPR? If the above question is answered in the affirmative, what are the conditions for such compatibility?’
Procedure before the Court
34 By decision of 8 December 2022, the President of the Court suspended the present proceedings pending final judgment in Case C‑634/21, SCHUFA Holding and Others (Scoring).
35 In accordance with the decision of the President of the Court of 13 December 2023, the Registry of the Court of Justice notified the referring court of the judgment of 7 December 2023, SCHUFA Holding and Others (Scoring) (C‑634/21, EU:C:2023:957), by inviting it to indicate whether, in the light of that judgment, it wished to maintain its request for a preliminary ruling.
36 By letter received at the Court Registry on 29 January 2024, the referring court stated that it was maintaining its request for a preliminary ruling, since the judgment of 7 December 2023, SCHUFA Holding and Others (Scoring) (C‑634/21, EU:C:2023:957), did not provide an answer to the questions which it had referred in the present case.
37 By decision of 14 February 2024, the President of the Court therefore ordered that the proceedings in the present case be resumed.
Consideration of the questions referred
Questions 1 and 2 and Question 3(a)
38 By Questions 1 and 2 and Question 3(a), which it is appropriate to examine together, the referring court asks, in essence, whether Article 15(1)(h) of the GDPR must be interpreted as meaning that, in the case of automated decision-making, including profiling, within the meaning of Article 22(1) of that regulation, the data subject may require the controller to provide, as ‘meaningful information about the logic involved’, an exhaustive explanation of the procedure and principles actually applied in order to use, by automated means, the personal data concerning that person with a view to obtaining a specific result, such as a credit profile.
39 In accordance with settled case-law of the Court, in interpreting a provision of EU law, it is necessary to consider not only its wording, but also the context in which it occurs and the objectives pursued by the rules of which it is part (judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C‑487/21, EU:C:2023:369, paragraph 19 and the case-law cited).
40 As regards, first of all, the wording of Article 15(1)(h) of the GDPR, it should be noted, first, that the generally accepted meanings of the concept of ‘meaningful information’ under that provision, in the various language versions of that provision, differ; some, like the French-language version, favour the functionality (‘nuttige’ in Dutch, ‘úteis’ in Portuguese) or the relevance (‘pertinente’ in Romanian) of the information to be provided, while others place greater emphasis on the importance of that information (‘significativa’ in Spanish and ‘istotne’ in Polish). Lastly, in both the German- and the English-language versions of that provision, the term used (‘aussagekräftig’ and ‘meaningful’, respectively) may be understood both as relating to the good intelligibility of that information and as referring to that information being of a certain value.
41 The diversity of generally accepted meanings in the various language versions must be understood in such a way that the various meanings set out in the preceding paragraph are complementary, which it is appropriate to take into account when interpreting the concept of ‘meaningful information about the logic involved’ under Article 15(1)(h) of the GDPR, as the Advocate General observed, in essence, in point 65 of his Opinion.
42 Second, in the light of its general wording, the reference, in that provision, to the ‘logic involved’ in automated decision-making, which constitutes the subject matter of that ‘meaningful information’, is capable of covering a wide range of ‘logics’ concerning the use of personal data and other data with a view to obtaining a specific result by automated means. That interpretation is supported by certain language versions of that provision which use terms referring, in a complementary manner, to various aspects of the generally accepted meaning of the concept of ‘logic’. Thus, for example, in the Czech- and Polish-language versions, reference is made to the terms ‘postupu’ and ‘zasady’, respectively, which may be translated as ‘procedure’ and ‘principles’.
43 It must therefore be held that the wording of Article 15(1)(h) of the GDPR covers all relevant information concerning the procedure and principles relating to the use, by automated means, of personal data with a view to obtaining a specific result.
44 As regards, next, the context in which the concept of ‘meaningful information about the logic involved’, within the meaning of Article 15(1)(h) of the GDPR, occurs, it must be pointed out, in the first place, that that information is only part of the information covered by the right of access provided for in that article, which also concerns information concerning the importance and the envisaged consequences of the processing at issue for the data subject.
45 Although that information, which, according to the Guidelines on automated individual decision-making and profiling for the purposes of Regulation 2016/679 adopted on 3 October 2017 by the Working Party set up under Article 29 of Directive 95/46, as revised and adopted on 6 February 2018, in order to be meaningful and understandable, should be accompanied by ‘real, tangible examples’, is not the subject of the questions referred by the national court, it must nevertheless be taken into account as part of the context in which the concept of ‘meaningful information about the logic involved’ occurs.
46 In the second place, having regard to the fact that the concept of ‘meaningful information about the logic involved’ also appears in Article 13(2)(f) and Article 14(2)(g) of the GDPR, the Court has already held that, in the case of automated decision-making, within the meaning of Article 22(1) of that regulation, the right of access to such information enshrined in Article 15(1)(h) thereof forms a whole with the additional information obligations imposed on the controller under Article 13(2)(f) and Article 14(2)(g) of the GDPR (see, to that effect, judgment of 7 December 2023, SCHUFA Holding and Others (Scoring), C‑634/21, EU:C:2023:957, paragraph 56).
47 In the third place, as the Advocate General stated, in essence, in points 58 to 60 of his Opinion, in the contextual interpretation of the rights of access provided for in the case of automated decision-making, account must be taken of the case-law of the Court relating to the requirements to be met by the controller under Article 15(3) of the GDPR.
48 Thus, account must be taken, inter alia, of the fact that the requirement of transparency of the information provided, laid down in Article 12(1) of the GDPR, applies to all the data and information referred to in Article 15, including those relating to automated decision-making.
49 In order to ensure that the data subject is able fully to understand the information provided to him or her by the controller, Article 12(1) requires the controller to take appropriate measures, inter alia, to provide the data subject with those data and information in a concise, transparent, intelligible and easily accessible form, using plain and clear language (see, to that effect, judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C‑487/21, EU:C:2023:369, paragraph 38).
50 The examination of the context of which Article 15(1)(h) of the GDPR forms part thus supports the interpretation that emerges from the analysis of the wording of that provision, according to which ‘meaningful information about the logic involved’ in automated decision-making, within the meaning of that provision, covers all relevant information concerning the procedure and principles relating to the use of personal data with a view to obtaining, by automated means, a specific result, the obligation of transparency also requiring that that information be provided in a concise, transparent, intelligible and easily accessible form.
51 As regards, lastly, the purposes of the GDPR, it should be recalled that the objective of that regulation consists, inter alia, in ensuring a high level of protection of the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data, enshrined in Article 16 TFEU and guaranteed as a fundamental right in Article 8 of the Charter, which supplements the right to private life guaranteed in Article 7 thereof (see, to that effect, judgment of 4 October 2024, Schrems (Communication of data to the general public), C‑446/21, EU:C:2024:834, paragraph 45 and the case-law cited).
52 Thus, as stated moreover in recital 11, the purpose of the GDPR is to strengthen and set out in detail the rights of data subjects (judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C‑487/21, EU:C:2023:369, paragraph 33 and the case-law cited).
53 As regards, specifically, the right of access provided for in Article 15 of the GDPR, it is apparent from the case-law of the Court that that right must enable the data subject to ensure that the personal data concerning him or her are correct and that they are processed in a lawful manner (judgments of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C‑487/21, EU:C:2023:369, paragraph 34, and of 26 October 2023, FT (Copies of medical records), C‑307/22, EU:C:2023:811, paragraph 73).
54 That right of access is necessary to enable the data subject to exercise, depending on the circumstances, his or her right to rectification, right to erasure (‘right to be forgotten’) or right to restriction of processing, conferred, respectively, by Articles 16, 17 and 18 of the GDPR, as well as the data subject’s right to object to his or her personal data being processed, laid down in Article 21 of the GDPR, right of action and right to compensation, laid down in Articles 79 and 82 of the GDPR, respectively (see, to that effect, judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C‑487/21, EU:C:2023:369, paragraph 35).
55 In particular, in the specific context of the adoption of a decision based solely on automated processing, the main purpose of the data subject’s right to obtain the information provided for in Article 15(1)(h) of the GDPR is to enable him or her effectively to exercise the rights conferred on him or her by Article 22(3) of that regulation, namely the right to express his or her point of view on that decision and to contest it.
56 If the individuals affected by an automated decision, including profiling, were not in a position to understand the reasons which led to that decision before expressing their point of view or contesting the decision, those rights would not, accordingly, satisfy in full their purpose of protecting those individuals against the particular risks to their rights and freedoms represented by the automated processing of their personal data (see, to that effect, judgment of 7 December 2023, SCHUFA Holding and Others (Scoring), C‑634/21, EU:C:2023:957, paragraph 57).
57 In that regard, it is apparent from recital 71 of the GDPR that, where the data subject is the subject of a decision which is based solely on automated processing and which significantly affects him or her, that data subject must have the right to obtain an explanation of that decision. As the Advocate General observed in point 67 of his Opinion, it must therefore be held that Article 15(1)(h) of the GDPR affords the data subject a genuine right to an explanation as to the functioning of the mechanism involved in automated decision-making of which that person was the subject and of the result of that decision.
58 It is apparent from the examination of the purposes of the GDPR and, in particular, those of Article 15(1)(h) thereof that the right to obtain ‘meaningful information about the logic involved’ in automated decision-making, within the meaning of that provision, must be understood as a right to an explanation of the procedure and principles actually applied in order to use, by automated means, the personal data of the data subject with a view to obtaining a specific result, such as a credit profile. In order to enable the data subject effectively to exercise the rights conferred on him or her by the GDPR and, in particular, Article 22(3) thereof, that explanation must be provided by means of relevant information and in a concise, transparent, intelligible and easily accessible form.
59 Those requirements cannot be satisfied either by the mere communication of a complex mathematical formula, such as an algorithm, or by the detailed description of all the steps in automated decision-making, since none of those would constitute a sufficiently concise and intelligible explanation.
60 As is apparent from page 25 of the Guidelines on automated individual decision-making and profiling for the purposes of Regulation 2016/679, referred to in paragraph 45 of the present judgment, first, the controller should find simple ways to tell the data subject about the rationale behind, or the criteria relied on in reaching the automated decision. Second, the GDPR requires the controller to provide meaningful information about the logic involved in that decision, but ‘not necessarily a complex explanation of the algorithms used or disclosure of the full algorithm’.
61 Thus, the ‘meaningful information about the logic involved’ in automated decision-making, within the meaning of Article 15(1)(h) of the GDPR, must describe the procedure and principles actually applied in such a way that the data subject can understand which of his or her personal data have been used in the automated decision-making at issue, with the complexity of the operations to be carried out in the context of automated decision-making not being capable of relieving the controller of the duty to provide an explanation.
62 As regards, specifically, profiling such as that at issue in the main proceedings, the referring court could, inter alia, find that it is sufficiently transparent and intelligible to inform the data subject of the extent to which a variation in the personal data taken into account would have led to a different result.
63 That said, it should also be stated that, as regards the question whether the information provided must allow the data subject to be able to verify the accuracy of the personal data concerning him or her and on which automated decision-making is based, the right of access to those data is covered not by Article 15(1)(h) of the GDPR, but by the introductory sentence of that paragraph, which guarantees the data subject the possibility to ensure that the data are correct, as is apparent from the case-law cited in paragraph 53 above.
64 Lastly, as regards the referring court’s assertion that the information provided by D & B to CK, pursuant to Article 15(1)(h) of the GDPR, is contrary to the facts, since the ‘actual’ profiling led to her being regarded as not creditworthy although that information suggested the contrary, it should be noted that, if, according to that court, the non-compliance thus established results from D & B’s failure to provide to CK the profiling carried out in respect of her on behalf of the mobile telephone undertaking which, on that basis, refused to conclude or renew a contract with her, it should be remedied by means of the right of access to the credit profile thus established. In that regard, it is apparent from the Court’s case-law that personal data generated by the controller itself fall within the scope of Article 14 of the GDPR (see, to that effect, judgment of 28 November 2024, Másdi, C‑169/23, EU:C:2024:988, paragraph 48).
65 By contrast, an explanation of the differences between the result of such ‘actual’ profiling, assuming it to be established, and the result communicated by D & B to CK and obtained, according to that company, by means of ‘equal weighting’ of the data relating to CK, would indeed fall within the scope of ‘meaningful information about the logic involved’ in the profiling thus carried out. In accordance with what has been stated in paragraph 58 above, D & B is therefore required to explain in a concise, transparent, intelligible and easily accessible form the procedure and principles pursuant to which the result of the ‘actual’ profiling was obtained.
66 It follows from all of the foregoing that the answer to Questions 1 and 2 and to Question 3(a) is that Article 15(1)(h) of the GDPR must be interpreted as meaning that, in the case of automated decision-making, including profiling, within the meaning of Article 22(1) of that regulation, the data subject may require the controller, as ‘meaningful information about the logic involved’, to explain, by means of relevant information and in a concise, transparent, intelligible and easily accessible form, the procedure and principles actually applied in order to use, by automated means, the personal data concerning that person with a view to obtaining a specific result, such as a credit profile.
Question 3(b) and (c), Question 4(a) and (b), and Questions 5 and 6
67 By Question 3(b) and (c), Question 4(a) and (b), and Questions 5 and 6, which it is appropriate to examine together, the referring court asks, in essence, whether Article 15(1)(h) of the GDPR must be interpreted as meaning that, where the controller takes the view that the information to be provided to the data subject in accordance with that provision contains data of third parties protected by that regulation or trade secrets, within the meaning of point 1 of Article 2 of Directive 2016/943, that controller is required to provide the allegedly protected information to the competent supervisory authority or court, which must balance the rights and interests at issue with a view to determining the extent of the data subject’s right of access provided for in Article 15 of the GDPR.
68 In that regard, it should be recalled that, pursuant to recital 4 of the GDPR, the right to the protection of personal data is not an absolute right and must be balanced against other fundamental rights, in accordance with the principle of proportionality. Thus, the GDPR respects all the fundamental rights and observes the freedoms and principles recognised by the Charter, as enshrined by the Treaties (judgment of 26 October 2023, FT (Copies of medical records), C‑307/22, EU:C:2023:811, paragraph 59 and the case-law cited).
69 Moreover, recital 63 of that regulation states that the right for any data subject to have access to personal data which have been collected concerning him or her should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software.
70 However, the result of those considerations should not be a refusal to provide all information to the data subject. Thus, Article 23(1)(i) of that regulation provides, in essence, that a restriction of the scope of the obligations and rights provided for in, inter alia, Article 15 of the GDPR is possible only when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard the protection of the rights and freedoms of others.
71 In the light of the related right to obtain a copy, enshrined in Article 15(4) of the GDPR, the Court has already held that its application must not adversely affect the rights and freedoms of others, including trade secrets or intellectual property, and in particular the copyright protecting the software (see, to that effect, judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C‑487/21, EU:C:2023:369, paragraph 43).
72 In that context, the Court has noted that, in the event of conflict between, on the one hand, exercising the right of full and complete access to personal data and, on the other hand, the rights or freedoms of others, a balance will have to be struck between the rights and freedoms in question. Wherever possible, means of communicating personal data that do not infringe the rights or freedoms of others should be chosen, bearing in mind that, as follows from recital 63 of the GDPR, ‘the result of those considerations should not be a refusal to provide all information to the data subject’ (judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C‑487/21, EU:C:2023:369, paragraph 44).
73 As to how the right of access enshrined in Article 15(1)(h) of the GDPR may be implemented in such a way as to respect the rights and freedoms of others, it should be recalled that, according to the case-law, a national court may take the view that the personal data of the parties or of third parties must be disclosed to it in order to be able to balance, in full knowledge of the facts and in accordance with the principle of proportionality, the interests involved. That assessment may, depending on the case, lead it to authorise the full or partial disclosure to the opposing party of the personal data thus communicated to it, if it finds that such disclosure does not go beyond what is necessary for the purpose of guaranteeing the effective enjoyment of the rights which individuals derive from Article 47 of the Charter (judgment of 2 March 2023, Norra Stockholm Bygg, C‑268/21, EU:C:2023:145, paragraph 58).
74 As the Advocate General observed in point 94 of his Opinion, that case-law can be fully transposed to the situation in which the information to be provided to the data subject under the right of access guaranteed by Article 15(1)(h) of the GDPR is likely to result in an infringement of the rights and freedoms of others, in particular in so far as it contains personal data of third parties protected by that regulation or trade secrets, within the meaning of point 1 of Article 2 of Directive 2016/943. In that case too, that information must be disclosed to the competent supervisory authority or court, which must balance the rights and interests at issue with a view to determining the extent of the data subject’s right of access to personal data concerning him or her.
75 Having regard to the need to make that determination on a case-by-case basis, Article 15(1)(h) of the GDPR precludes inter alia the application of a provision such as Paragraph 4(6) of the DSG which excludes, as a rule, the data subject’s right of access, provided for in Article 15 of the GDPR, where such access would compromise a business or trade secret of the controller or of a third party. In that regard, it should be borne in mind that a Member State cannot definitively prescribe the result of a case-by-case balancing of the rights and interests at issue imposed by EU law (see, to that effect, judgment of 7 December 2023, SCHUFA Holding and Others (Scoring), C‑634/21, EU:C:2023:957, paragraph 70 and the case-law cited).
76 In the light of all of the foregoing, the answer to Question 3(b) and (c), Question 4(a) and (b), and Questions 5 and 6 is that Article 15(1)(h) of the GDPR must be interpreted as meaning that, where the controller takes the view that the information to be provided to the data subject in accordance with that provision contains data of third parties protected by that regulation or trade secrets, within the meaning of point 1 of Article 2 of Directive 2016/943, that controller is required to provide the allegedly protected information to the competent supervisory authority or court, which must balance the rights and interests at issue with a view to determining the extent of the data subject’s right of access provided for in Article 15 of the GDPR.
Costs
77 Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the referring court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.
On those grounds, the Court (First Chamber) hereby rules:
1. Article 15(1)(h) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
must be interpreted as meaning that, in the case of automated decision-making, including profiling, within the meaning of Article 22(1) of that regulation, the data subject may require the controller, as ‘meaningful information about the logic involved’, to explain, by means of relevant information and in a concise, transparent, intelligible and easily accessible form, the procedure and principles actually applied in order to use, by automated means, the personal data concerning that person with a view to obtaining a specific result, such as a credit profile.
2. Article 15(1)(h) of Regulation 2016/679
must be interpreted as meaning that, where the controller takes the view that the information to be provided to the data subject in accordance with that provision contains data of third parties protected by that regulation or trade secrets, within the meaning of point 1 of Article 2 of Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure, that controller is required to provide the allegedly protected information to the competent supervisory authority or court, which must balance the rights and interests at issue with a view to determining the extent of the data subject’s right of access provided for in Article 15 of that regulation.
