The Court of Justice of the European Union (CJEU) has addressed the issue of an individual’s right to an explanation in cases of automated decision-making that affect their legal or similarly significant status in its ruling in case C-203/22 (Dun & Bradstreet Austria). This judgment provides an important interpretation of the General Data Protection Regulation (GDPR) and its relationship with trade secret protection.

Facts of the Case

In Austria, a mobile service provider refused to conclude a contract with a customer on the grounds that her creditworthiness was insufficient. The operator based its decision on an automated credit assessment conducted by Dun & Bradstreet Austria, a company specializing in such services. The contract would have involved a monthly payment obligation of €10.

In the ensuing court proceedings, an Austrian court ruled, by a final decision, that Dun & Bradstreet had violated the GDPR by failing to provide the customer with “meaningful information about the logic involved” in the automated decision-making process. The company did not provide a sufficient justification as to why it was unable to provide such information.

The court referred the matter to the CJEU, asking how Dun & Bradstreet should, in practice, fulfill its obligation to inform the data subject.

Obligations of Controllers in Automated Decision-Making (GDPR)

In its ruling, the CJEU clarified that a controller must describe the procedure and principles actually applied in an automated decision-making process in a way that enables the data subject to understand:

• Which of their personal data were used,
• How those data were used in reaching the decision.

To meet the requirements of transparency and intelligibility, it may also be appropriate to explain the extent to which a variation in the personal data considered would have led to a different assessment result. The CJEU emphasized that the mere disclosure of an algorithm does not constitute a sufficiently concise and intelligible explanation.

Balancing the Right of Access and Trade Secret Protection (GDPR)

Where a controller believes that disclosing information would include protected third-party data or trade secrets, the controller must provide such allegedly protected information to the competent supervisory authority or court. These authorities must then balance the rights and interests at stake and determine the extent of the data subject’s right of access to that information.

The CJEU explicitly ruled out the application of national provisions that categorically exclude the right of access to information where disclosure would compromise a trade secret of the controller or a third party.

Practical Implications of the Judgment

This ruling has significant implications for companies engaged in automated credit assessments and similar processes. Data controllers must ensure they provide data subjects with a sufficient and comprehensible explanation of the logic behind automated decisions that impact their legal or economic status. Additionally, they must be prepared to cooperate with supervisory authorities and courts in assessing trade secret protection in such cases.

The judgment further strengthens individual rights in data protection and enhances transparency in the use of automated decision-making in practice.

* Finding yourself in need of legal services in Slovenia and looking for a law firm in Ljubljana, consider contacting us using our contact details as published on our web page. A qualified law firm can provide you with legal advice and representation – helping you navigate the complexities of Slovenian law and ensuring that your rights are protected. You can find more information on legal acts in Slovenia on the official pages of the Slovenian government. More legal topics can be found on our law firm publications page.