The Court of Justice of the European Union (CJEU) has clarified the requirements under Article 15(1)(h) GDPR regarding the right of data subjects to obtain meaningful information about automated decision-making. The judgment in Dun & Bradstreet Austria (C-203/22) confirms that data controllers must adequately explain how automated credit assessments are carried out.

The case arose after an Austrian mobile operator denied a customer a contract based on an automated credit assessment without disclosing how the decision was made. An Austrian court found this violated the GDPR, prompting a preliminary reference to the CJEU on the extent of information required.

The Court ruled that data controllers must explain the procedure and principles underlying automated decision-making, ensuring the data subject understands which personal data was considered and how modifications could affect the outcome. Simply providing an algorithm is insufficient.

Additionally, if a controller cites trade secrets to justify withholding information, they must disclose the details to the competent supervisory authority or court, which will assess the balance between commercial interests and the data subject’s rights. The Court further held that national laws cannot automatically deny access to personal data on trade secret grounds if it undermines the GDPR’s transparency requirements.

Read the full press release here.