This document is an excerpt from the EUR-Lex website
Document 62022CJ0203
Judgment of the Court (First Chamber) of 27 February 2025.#CK v Dun & Bradstreet Austria GmbH and Magistrat der Stadt Wien.#Request for a preliminary ruling from the Verwaltungsgericht Wien.#Reference for a preliminary ruling – Protection of personal data – Regulation (EU) 2016/679 – Article 15(1)(h) – Automated decision-making, including profiling – Scoring – Assessment of the creditworthiness of a natural person – Access to meaningful information about the logic involved in profiling – Verification of the accuracy of the information provided – Directive (EU) 2016/943 – Point 1 of Article 2 – Trade secret – Personal data of third parties.#Case C-203/22.
Judgment of the Court (First Chamber) of 27 February 2025.
CK v Dun & Bradstreet Austria GmbH and Magistrat der Stadt Wien.
Request for a preliminary ruling from the Verwaltungsgericht Wien.
Reference for a preliminary ruling – Protection of personal data – Regulation (EU) 2016/679 – Article 15(1)(h) – Automated decision-making, including profiling – Scoring – Assessment of the creditworthiness of a natural person – Access to meaningful information about the logic involved in profiling – Verification of the accuracy of the information provided – Directive (EU) 2016/943 – Point 1 of Article 2 – Trade secret – Personal data of third parties.
Case C-203/22.
Judgment of the Court (First Chamber) of 27 February 2025.
CK v Dun & Bradstreet Austria GmbH and Magistrat der Stadt Wien.
Request for a preliminary ruling from the Verwaltungsgericht Wien.
Reference for a preliminary ruling – Protection of personal data – Regulation (EU) 2016/679 – Article 15(1)(h) – Automated decision-making, including profiling – Scoring – Assessment of the creditworthiness of a natural person – Access to meaningful information about the logic involved in profiling – Verification of the accuracy of the information provided – Directive (EU) 2016/943 – Point 1 of Article 2 – Trade secret – Personal data of third parties.
Case C-203/22.
Court reports – general – 'Information on unpublished decisions' section
ECLI identifier: ECLI:EU:C:2025:117
JUDGMENT OF THE COURT (First Chamber)
27 February 2025 ( *1 )
(Reference for a preliminary ruling – Protection of personal data – Regulation (EU) 2016/679 – Article 15(1)(h) – Automated decision-making, including profiling – Scoring – Assessment of the creditworthiness of a natural person – Access to meaningful information about the logic involved in profiling – Verification of the accuracy of the information provided – Directive (EU) 2016/943 – Point 1 of Article 2 – Trade secret – Personal data of third parties)
In Case C‑203/22,
REQUEST for a preliminary ruling under Article 267 TFEU from the Verwaltungsgericht Wien (Administrative Court, Vienna, Austria), made by decision of 11 February 2022, received at the Court on 16 March 2022, in the proceedings
CK
v
Magistrat der Stadt Wien
other party:
Dun & Bradstreet Austria GmbH,
THE COURT (First Chamber),
composed of K. Lenaerts, President of the Court, acting as President of the First Chamber, T. von Danwitz (Rapporteur), Vice-President of the Court, A. Kumin, N. Jääskinen and I. Ziemele, Judges,
Advocate General: J. Richard de la Tour,
Registrar: A. Calot Escobar,
having regard to the written procedure,
after considering the observations submitted on behalf of:
– |
CK, by C. Wirthensohn, Rechtsanwalt, |
– |
Dun & Bradstreet Austria GmbH, by D. Cooper, Solicitor, A.-S. Oberschelp de Meneses, avocate, K. Van Quathem and B. Van Vooren, advocaten, |
– |
the Spanish Government, by A. Ballesteros Panizo, acting as Agent, |
– |
the Netherlands Government, by M.K. Bulterman and C.S. Schillemans, acting as Agents, |
– |
the Polish Government, by B. Majczyna, acting as Agent, |
– |
the European Commission, by A. Bouchagiar, F. Erlbacher and H. Kranenborg, acting as Agents, |
after hearing the Opinion of the Advocate General at the sitting on 12 September 2024,
gives the following
Judgment
1 |
This request for a preliminary ruling concerns the interpretation, first, of Article 15(1)(h) and Article 22 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1; ‘the GDPR’), and, second, of point 1 of Article 2 of Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure (OJ 2016 L 157, p. 1). |
2 |
The request has been made in the proceedings between CK and the Magistrat der Stadt Wien (City Council of Vienna, Austria) concerning the enforcement of a court order requiring Bisnode Austria GmbH, now Dun & Bradstreet Austria GmbH (‘D & B’), an undertaking specialising in the provision of credit assessments, to provide CK with meaningful information about the logic involved in profiling relating to her personal data. |
Legal context
European Union law
The GDPR
3 |
Recitals 4, 11, 58, 63 and 71 of the GDPR state:
…
…
…
…
|
4 |
Article 4 of that regulation, entitled ‘Definitions’, provides, in point 4: ‘For the purposes of this Regulation: …
|
5 |
Article 12 of the GDPR, entitled ‘Transparent information, communication and modalities for the exercise of the rights of the data subject’, provides, in paragraph 1: ‘The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. …’ |
6 |
Article 13 of that regulation, which concerns the information to be provided where personal data are collected from the data subject, and Article 14 thereof, which concerns the information to be provided where personal data have not been obtained from the data subject, provide, in paragraph 2(f) and paragraph 2(g), respectively, that the controller, to ensure fair and transparent processing in respect of the data subject, must provide the data subject with, inter alia, information as to ‘the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject’. |
7 |
Article 15 of the GDPR, entitled ‘Right of access by the data subject’, is worded as follows: ‘1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: …
… 3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. 4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.’ |
8 |
Article 22 of that regulation, entitled ‘Automated individual decision-making, including profiling’, provides: ‘1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. 2. Paragraph 1 shall not apply if the decision:
3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision. 4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.’ |
9 |
As set out in Article 23 of the GDPR, headed ‘Restrictions’: ‘1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard: … (i) the protection of the data subject or the rights and freedoms of others; … 2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:
|
10 |
Article 54 of that regulation, entitled ‘Rules on the establishment of the supervisory authority’, provides, in paragraph 2: ‘The member or members and the staff of each supervisory authority shall, in accordance with Union or Member State law, be subject to a duty of professional secrecy both during and after their term of office, with regard to any confidential information which has come to their knowledge in the course of the performance of their tasks or exercise of their powers. During their term of office, that duty of professional secrecy shall in particular apply to reporting by natural persons of infringements of this Regulation.’ |
11 |
Article 58 of the GDPR, headed ‘Powers’, provides, in paragraph 1(e): ‘Each supervisory authority shall have all of the following investigative powers:
|
Directive 2016/943
12 |
Recital 35 of Directive 2016/943 states: ‘… this Directive should not affect the rights and obligations laid down in Directive 95/46/EC [of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31)], in particular the rights of the data subject to access his or her personal data being processed and to obtain the rectification, erasure or blocking of the data where it is incomplete or inaccurate …’ |
13 |
Point 1 of Article 2 of that directive provides: ‘For the purposes of this Directive, the following definitions apply:
|
14 |
Article 9 of the directive, entitled ‘Preservation of confidentiality of trade secrets in the course of legal proceedings’, provides: ‘1. Member States shall ensure that the parties, their lawyers or other representatives, court officials, witnesses, experts and any other person participating in legal proceedings relating to the unlawful acquisition, use or disclosure of a trade secret, or who has access to documents which form part of those legal proceedings, are not permitted to use or disclose any trade secret or alleged trade secret which the competent judicial authorities have, in response to a duly reasoned application by an interested party, identified as confidential and of which they have become aware as a result of such participation or access. In that regard, Member States may also allow competent judicial authorities to act on their own initiative. The obligation referred to in the first subparagraph shall remain in force after the legal proceedings have ended. However, such obligation shall cease to exist in any of the following circumstances:
2. Member States shall also ensure that the competent judicial authorities may, on a duly reasoned application by a party, take specific measures necessary to preserve the confidentiality of any trade secret or alleged trade secret used or referred to in the course of legal proceedings relating to the unlawful acquisition, use or disclosure of a trade secret. Member States may also allow competent judicial authorities to take such measures on their own initiative. The measures referred to in the first subparagraph shall at least include the possibility:
The number of persons referred to in points (a) and (b) of the second subparagraph shall be no greater than necessary in order to ensure compliance with the right of the parties to the legal proceedings to an effective remedy and to a fair trial, and shall include, at least, one natural person from each party and the respective lawyers or other representatives of those parties to the legal proceedings. 3. When deciding on the measures referred to in paragraph 2 and assessing their proportionality, the competent judicial authorities shall take into account the need to ensure the right to an effective remedy and to a fair trial, the legitimate interests of the parties and, where appropriate, of third parties, and any potential harm for either of the parties, and, where appropriate, for third parties, resulting from the granting or rejection of such measures. 4. Any processing of personal data pursuant to paragraphs 1, 2 or 3 shall be carried out in accordance with [Directive 95/46].’ |
Austrian law
15 |
Paragraph 4(6) of the Datenschutzgesetz (Law on Data Protection) of 17 August 1999 (BGBl. I, 165/1999), in its version applicable to the main proceedings (‘the DSG’), precludes, as a rule, the data subject from having access to his or her personal data, provided for in Article 15 of the GDPR, where such access would compromise a business or trade secret of the controller or of a third party. |
The dispute in the main proceedings and the questions referred for a preliminary ruling
16 |
CK was refused, by a mobile telephone operator, the conclusion or extension of a mobile telephone contract which would have required a monthly payment of EUR 10 on the ground that, according to an automated credit assessment, carried out by D & B, she did not have sufficient financial creditworthiness. |
17 |
CK brought the matter before the Austrian data protection authority, which ordered D & B to disclose to CK meaningful information about the logic involved in the automated decision-making based on personal data concerning CK. |
18 |
D & B brought an action against that decision before the Bundesverwaltungsgericht (Federal Administrative Court, Austria), claiming, in essence, that, due to a protected trade secret, it did not have to disclose to CK any information in addition to the information that had already been provided to her. |
19 |
By decision of 23 October 2019 (‘the decision of 23 October 2019’), that court found that D & B had infringed Article 15(1)(h) of the GDPR by failing to provide CK with meaningful information about the logic involved in the automated decision-making based on personal data concerning CK, or, at the very least, by failing to give a sufficient statement of reasons as to why it was unable to provide that information. |
20 |
In particular, in that decision, the Bundesverwaltungsgericht (Federal Administrative Court) noted that D & B had not provided CK with sufficient explanations to enable her to understand how the prognosis on the probability of her future behaviour (‘score’) had been established in relation to her, which that undertaking communicated to CK, stating that, with a view to obtaining that ‘score’, certain socio-demographic data concerning CK had been ‘given equal weighting’. |
21 |
The decision of 23 October 2019 has become final and is enforceable under Austrian law. However, CK’s application for enforcement of that decision, lodged by CK with the City Council of Vienna, which is the enforcing authority, was rejected on the ground that D & B had met, to the requisite standard, its obligation to provide information, even though that company had not provided any additional information after that decision was adopted. |
22 |
CK brought an action against the decision of the City Council of Vienna before the Verwaltungsgericht Wien (Administrative Court, Vienna, Austria), which is the referring court, seeking enforcement of the decision of 23 October 2019. |
23 |
The referring court takes the view that, under Austrian law, it is required to have that decision enforced, which would mean having to determine the specific acts that D & B is required to carry out pursuant to that decision. |
24 |
Taking the view that that determination can only be made by an expert with the requisite expertise, the referring court appointed an expert who took the view that D & B was required to provide the following minimum information in order to meet its obligations with respect to CK:
|
25 |
In order to ensure that, after it has been provided, the accuracy of that minimum information can be verified by CK, D & B should also provide a list of scoring for the period covering the six months preceding and the six months following the establishment of CK’s score, as obtained using the same calculation rule. |
26 |
According to the referring court, only the disclosure of the minimum information specified by that expert would enable the consistency and accuracy of the information provided by a controller under Article 15(1)(h) of the GDPR to be verified. |
27 |
In the present case, there are a number of clear indications that the information provided by D & B is contrary to the facts. While the information provided to CK, including, inter alia, the score obtained, showed CK to have very good credit standing, the actual profiling led to her being regarded as not creditworthy, including as regards the capacity to pay the amount of EUR 10 per month under a mobile telephone contract. |
28 |
In the referring court’s view, the question therefore arises whether Article 15(1)(h) of the GDPR guarantees the data subject the possibility to verify the accuracy of the information provided by the controller. |
29 |
In the event that Article 15(1)(h) of the GDPR does not guarantee this, the right of access to the data subject’s personal data and other information provided for therein would be rendered meaningless and useless, especially since each controller could in that case be able to provide incorrect information. |
30 |
According to the referring court, the question also arises whether and, if so, to what extent the exception based on the existence of a trade secret is capable of restricting that right of access guaranteed by the combined provisions of Article 15(1)(h) and Article 22 of the GDPR. |
31 |
In the light of the rules laid down in Article 9 of Directive 2016/943, it is necessary to assess whether it is conceivable that information classified as a ‘trade secret’ within the meaning of point 1 of Article 2 of that directive may be disclosed only to the authority or court seised in order for that authority or court to verify independently whether it must be found that there is in fact such a trade secret and whether that information provided by the controller, for the purposes of Article 15(1) of the GDPR, corresponds to the reality of the situation at issue. |
32 |
Lastly, the referring court takes the view that it is necessary to examine whether a provision such as Paragraph 4(6) of the DSG, which excludes, as a rule, the data subject’s right of access, provided for in Article 15 of the GDPR, where such access would compromise a business or trade secret of the controller or of a third party, may be regarded as consistent with the combined provisions of Article 15(1) and Article 22(3) of the GDPR. |
33 |
In those circumstances, the Verwaltungsgericht Wien (Administrative Court, Vienna) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
|
Procedure before the Court
34 |
By decision of 8 December 2022, the President of the Court suspended the present proceedings pending final judgment in Case C‑634/21, SCHUFA Holding and Others (Scoring). |
35 |
In accordance with the decision of the President of the Court of 13 December 2023, the Registry of the Court of Justice notified the referring court of the judgment of 7 December 2023, SCHUFA Holding and Others (Scoring) (C‑634/21, EU:C:2023:957), by inviting it to indicate whether, in the light of that judgment, it wished to maintain its request for a preliminary ruling. |
36 |
By letter received at the Court Registry on 29 January 2024, the referring court stated that it was maintaining its request for a preliminary ruling, since the judgment of 7 December 2023, SCHUFA Holding and Others (Scoring) (C‑634/21, EU:C:2023:957), did not provide an answer to the questions which it had referred in the present case. |
37 |
By decision of 14 February 2024, the President of the Court therefore ordered that the proceedings in the present case be resumed. |
Consideration of the questions referred
Questions 1 and 2 and Question 3(a)
38 |
By Questions 1 and 2 and Question 3(a), which it is appropriate to examine together, the referring court asks, in essence, whether Article 15(1)(h) of the GDPR must be interpreted as meaning that, in the case of automated decision-making, including profiling, within the meaning of Article 22(1) of that regulation, the data subject may require the controller to provide, as ‘meaningful information about the logic involved’, an exhaustive explanation of the procedure and principles actually applied in order to use, by automated means, the personal data concerning that person with a view to obtaining a specific result, such as a credit profile. |
39 |
In accordance with settled case-law of the Court, in interpreting a provision of EU law, it is necessary to consider not only its wording, but also the context in which it occurs and the objectives pursued by the rules of which it is part (judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C‑487/21, EU:C:2023:369, paragraph 19 and the case-law cited). |
40 |
As regards, first of all, the wording of Article 15(1)(h) of the GDPR, it should be noted, first, that the generally accepted meanings of the concept of ‘meaningful information’ under that provision, in the various language versions of that provision, differ; some, like the French-language version, favour the functionality (‘nuttige’ in Dutch, ‘úteis’ in Portuguese) or the relevance (‘pertinente’ in Romanian) of the information to be provided, while others place greater emphasis on the importance of that information (‘significativa’ in Spanish and ‘istotne’ in Polish). Lastly, in both the German- and the English-language versions of that provision, the term used (‘aussagekräftig’ and ‘meaningful’, respectively) may be understood both as relating to the good intelligibility of that information and as referring to that information being of a certain value. |
41 |
The diversity of generally accepted meanings in the various language versions must be understood in such a way that the various meanings set out in the preceding paragraph are complementary, which it is appropriate to take into account when interpreting the concept of ‘meaningful information about the logic involved’ under Article 15(1)(h) of the GDPR, as the Advocate General observed, in essence, in point 65 of his Opinion. |
42 |
Second, in the light of its general wording, the reference, in that provision, to the ‘logic involved’ in automated decision-making, which constitutes the subject matter of that ‘meaningful information’, is capable of covering a wide range of ‘logics’ concerning the use of personal data and other data with a view to obtaining a specific result by automated means. That interpretation is supported by certain language versions of that provision which use terms referring, in a complementary manner, to various aspects of the generally accepted meaning of the concept of ‘logic’. Thus, for example, in the Czech- and Polish-language versions, reference is made to the terms ‘postupu’ and ‘zasady’, respectively, which may be translated as ‘procedure’ and ‘principles’. |
43 |
It must therefore be held that the wording of Article 15(1)(h) of the GDPR covers all relevant information concerning the procedure and principles relating to the use, by automated means, of personal data with a view to obtaining a specific result. |
44 |
As regards, next, the context in which the concept of ‘meaningful information about the logic involved’, within the meaning of Article 15(1)(h) of the GDPR, occurs, it must be pointed out, in the first place, that that information is only part of the information covered by the right of access provided for in that article, which also concerns information concerning the importance and the envisaged consequences of the processing at issue for the data subject. |
45 |
Although that information, which, according to the Guidelines on automated individual decision-making and profiling for the purposes of Regulation 2016/679 adopted on 3 October 2017 by the Working Party set up under Article 29 of Directive 95/46, as revised and adopted on 6 February 2018, in order to be meaningful and understandable, should be accompanied by ‘real, tangible examples’, is not the subject of the questions referred by the national court, it must nevertheless be taken into account as part of the context in which the concept of ‘meaningful information about the logic involved’ occurs. |
46 |
In the second place, having regard to the fact that the concept of ‘meaningful information about the logic involved’ also appears in Article 13(2)(f) and Article 14(2)(g) of the GDPR, the Court has already held that, in the case of automated decision-making, within the meaning of Article 22(1) of that regulation, the right of access to such information enshrined in Article 15(1)(h) thereof forms a whole with the additional information obligations imposed on the controller under Article 13(2)(f) and Article 14(2)(g) of the GDPR (see, to that effect, judgment of 7 December 2023, SCHUFA Holding and Others (Scoring), C‑634/21, EU:C:2023:957, paragraph 56). |
47 |
In the third place, as the Advocate General stated, in essence, in points 58 to 60 of his Opinion, in the contextual interpretation of the rights of access provided for in the case of automated decision-making, account must be taken of the case-law of the Court relating to the requirements to be met by the controller under Article 15(3) of the GDPR. |
48 |
Thus, account must be taken, inter alia, of the fact that the requirement of transparency of the information provided, laid down in Article 12(1) of the GDPR, applies to all the data and information referred to in Article 15, including those relating to automated decision-making. |
49 |
In order to ensure that the data subject is able fully to understand the information provided to him or her by the controller, Article 12(1) requires the controller to take appropriate measures, inter alia, to provide the data subject with those data and information in a concise, transparent, intelligible and easily accessible form, using plain and clear language (see, to that effect, judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C‑487/21, EU:C:2023:369, paragraph 38). |
50 |
The examination of the context of which Article 15(1)(h) of the GDPR forms part thus supports the interpretation that emerges from the analysis of the wording of that provision, according to which ‘meaningful information about the logic involved’ in automated decision-making, within the meaning of that provision, covers all relevant information concerning the procedure and principles relating to the use of personal data with a view to obtaining, by automated means, a specific result, the obligation of transparency also requiring that that information be provided in a concise, transparent, intelligible and easily accessible form. |
51 |
As regards, lastly, the purposes of the GDPR, it should be recalled that the objective of that regulation consists, inter alia, in ensuring a high level of protection of the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data, enshrined in Article 16 TFEU and guaranteed as a fundamental right in Article 8 of the Charter, which supplements the right to private life guaranteed in Article 7 thereof (see, to that effect, judgment of 4 October 2024, Schrems (Communication of data to the general public), C‑446/21, EU:C:2024:834, paragraph 45 and the case-law cited). |
52 |
Thus, as stated moreover in recital 11, the purpose of the GDPR is to strengthen and set out in detail the rights of data subjects (judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C‑487/21, EU:C:2023:369, paragraph 33 and the case-law cited). |
53 |
As regards, specifically, the right of access provided for in Article 15 of the GDPR, it is apparent from the case-law of the Court that that right must enable the data subject to ensure that the personal data concerning him or her are correct and that they are processed in a lawful manner (judgments of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C‑487/21, EU:C:2023:369, paragraph 34, and of 26 October 2023, FT (Copies of medical records), C‑307/22, EU:C:2023:811, paragraph 73). |
54 |
That right of access is necessary to enable the data subject to exercise, depending on the circumstances, his or her right to rectification, right to erasure (‘right to be forgotten’) or right to restriction of processing, conferred, respectively, by Articles 16, 17 and 18 of the GDPR, as well as the data subject’s right to object to his or her personal data being processed, laid down in Article 21 of the GDPR, right of action and right to compensation, laid down in Articles 79 and 82 of the GDPR, respectively (see, to that effect, judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C‑487/21, EU:C:2023:369, paragraph 35). |
55 |
In particular, in the specific context of the adoption of a decision based solely on automated processing, the main purpose of the data subject’s right to obtain the information provided for in Article 15(1)(h) of the GDPR is to enable him or her effectively to exercise the rights conferred on him or her by Article 22(3) of that regulation, namely the right to express his or her point of view on that decision and to contest it. |
56 |
If the individuals affected by an automated decision, including profiling, were not in a position to understand the reasons which led to that decision before expressing their point of view or contesting the decision, those rights would not, accordingly, satisfy in full their purpose of protecting those individuals against the particular risks to their rights and freedoms represented by the automated processing of their personal data (see, to that effect, judgment of 7 December 2023, SCHUFA Holding and Others (Scoring), C‑634/21, EU:C:2023:957, paragraph 57). |
57 |
In that regard, it is apparent from recital 71 of the GDPR that, where the data subject is the subject of a decision which is based solely on automated processing and which significantly affects him or her, that data subject must have the right to obtain an explanation of that decision. As the Advocate General observed in point 67 of his Opinion, it must therefore be held that Article 15(1)(h) of the GDPR affords the data subject a genuine right to an explanation as to the functioning of the mechanism involved in automated decision-making of which that person was the subject and of the result of that decision. |
58 |
It is apparent from the examination of the purposes of the GDPR and, in particular, those of Article 15(1)(h) thereof that the right to obtain ‘meaningful information about the logic involved’ in automated decision-making, within the meaning of that provision, must be understood as a right to an explanation of the procedure and principles actually applied in order to use, by automated means, the personal data of the data subject with a view to obtaining a specific result, such as a credit profile. In order to enable the data subject effectively to exercise the rights conferred on him or her by the GDPR and, in particular, Article 22(3) thereof, that explanation must be provided by means of relevant information and in a concise, transparent, intelligible and easily accessible form. |
59 |
Those requirements cannot be satisfied either by the mere communication of a complex mathematical formula, such as an algorithm, or by the detailed description of all the steps in automated decision-making, since none of those would constitute a sufficiently concise and intelligible explanation. |
60 |
As is apparent from page 25 of the Guidelines on automated individual decision-making and profiling for the purposes of Regulation 2016/679, referred to in paragraph 45 of the present judgment, first, the controller should find simple ways to tell the data subject about the rationale behind, or the criteria relied on in reaching the automated decision. Second, the GDPR requires the controller to provide meaningful information about the logic involved in that decision, but ‘not necessarily a complex explanation of the algorithms used or disclosure of the full algorithm’. |
61 |
Thus, the ‘meaningful information about the logic involved’ in automated decision-making, within the meaning of Article 15(1)(h) of the GDPR, must describe the procedure and principles actually applied in such a way that the data subject can understand which of his or her personal data have been used in what way in the automated decision-making at issue, with the complexity of the operations to be carried out in the context of automated decision-making not being capable of relieving the controller of the duty to provide an explanation. |
62 |
As regards, specifically, profiling such as that at issue in the main proceedings, the referring court could, inter alia, find that it is sufficiently transparent and intelligible to inform the data subject of the extent to which a variation in the personal data taken into account would have led to a different result. |
63 |
That said, it should also be stated that, as regards the question whether the information provided must allow the data subject to be able to verify the accuracy of the personal data concerning him or her and on which automated decision-making is based, the right of access to those data is covered not by Article 15(1)(h) of the GDPR, but by the introductory sentence of that paragraph, which guarantees the data subject the possibility to ensure that the data are correct, as is apparent from the case-law cited in paragraph 53 above. |
64 |
Lastly, as regards the referring court’s assertion that the information provided by D & B to CK, pursuant to Article 15(1)(h) of the GDPR, is contrary to the facts, since the ‘actual’ profiling led to her being regarded as not creditworthy although that information suggested the contrary, it should be noted that, if, according to that court, the non-compliance thus established results from D & B’s failure to provide to CK the profiling carried out in respect of her on behalf of the mobile telephone undertaking which, on that basis, refused to conclude or renew a contract with her, it should be remedied by means of the right of access to the credit profile thus established. In that regard, it is apparent from the Court’s case-law that personal data generated by the controller itself fall within the scope of Article 14 of the GDPR (see, to that effect, judgment of 28 November 2024, Másdi, C‑169/23, EU:C:2024:988, paragraph 48). |
65 |
By contrast, an explanation of the differences between the result of such ‘actual’ profiling, assuming it to be established, and the result communicated by D & B to CK and obtained, according to that company, by means of ‘equal weighting’ of the data relating to CK, would indeed fall within the scope of ‘meaningful information about the logic involved’ in the profiling thus carried out. In accordance with what has been stated in paragraph 58 above, D & B is therefore required to explain in a concise, transparent, intelligible and easily accessible form the procedure and principles pursuant to which the result of the ‘actual’ profiling was obtained. |
66 |
It follows from all of the foregoing that the answer to Questions 1 and 2 and to Question 3(a) is that Article 15(1)(h) of the GDPR must be interpreted as meaning that, in the case of automated decision-making, including profiling, within the meaning of Article 22(1) of that regulation, the data subject may require the controller, as ‘meaningful information about the logic involved’, to explain, by means of relevant information and in a concise, transparent, intelligible and easily accessible form, the procedure and principles actually applied in order to use, by automated means, the personal data concerning that person with a view to obtaining a specific result, such as a credit profile. |
Question 3(b) and (c), Question 4(a) and (b), and Questions 5 and 6
67 |
By Question 3(b) and (c), Question 4(a) and (b), and Questions 5 and 6, which it is appropriate to examine together, the referring court asks, in essence, whether Article 15(1)(h) of the GDPR must be interpreted as meaning that, where the controller takes the view that the information to be provided to the data subject in accordance with that provision contains data of third parties protected by that regulation or trade secrets, within the meaning of point 1 of Article 2 of Directive 2016/943, that controller is required to provide the allegedly protected information to the competent supervisory authority or court, which must balance the rights and interests at issue with a view to determining the extent of the data subject’s right of access provided for in Article 15 of the GDPR. |
68 |
In that regard, it should be recalled that, pursuant to recital 4 of the GDPR, the right to the protection of personal data is not an absolute right and must be balanced against other fundamental rights, in accordance with the principle of proportionality. Thus, the GDPR respects all the fundamental rights and observes the freedoms and principles recognised by the Charter, as enshrined by the Treaties (judgment of 26 October 2023, FT (Copies of medical records), C‑307/22, EU:C:2023:811, paragraph 59 and the case-law cited). |
69 |
Moreover, recital 63 of that regulation states that the right for any data subject to have access to personal data which have been collected concerning him or her should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. |
70 |
However, the result of those considerations should not be a refusal to provide all information to the data subject. Thus, Article 23(1)(i) of that regulation provides, in essence, that a restriction of the scope of the obligations and rights provided for in, inter alia, Article 15 of the GDPR is possible only when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard the protection of the rights and freedoms of others. |
71 |
In the light of the related right to obtain a copy, enshrined in Article 15(4) of the GDPR, the Court has already held that its application must not adversely affect the rights and freedoms of others, including trade secrets or intellectual property, and in particular the copyright protecting the software (see, to that effect, judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C‑487/21, EU:C:2023:369, paragraph 43). |
72 |
In that context, the Court has noted that, in the event of conflict between, on the one hand, exercising the right of full and complete access to personal data and, on the other hand, the rights or freedoms of others, a balance will have to be struck between the rights and freedoms in question. Wherever possible, means of communicating personal data that do not infringe the rights or freedoms of others should be chosen, bearing in mind that, as follows from recital 63 of the GDPR, ‘the result of those considerations should not be a refusal to provide all information to the data subject’ (judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C‑487/21, EU:C:2023:369, paragraph 44). |
73 |
As to how the right of access enshrined in Article 15(1)(h) of the GDPR may be implemented in such a way as to respect the rights and freedoms of others, it should be recalled that, according to the case-law, a national court may take the view that the personal data of the parties or of third parties must be disclosed to it in order to be able to balance, in full knowledge of the facts and in accordance with the principle of proportionality, the interests involved. That assessment may, depending on the case, lead it to authorise the full or partial disclosure to the opposing party of the personal data thus communicated to it, if it finds that such disclosure does not go beyond what is necessary for the purpose of guaranteeing the effective enjoyment of the rights which individuals derive from Article 47 of the Charter (judgment of 2 March 2023, Norra Stockholm Bygg, C‑268/21, EU:C:2023:145, paragraph 58). |
74 |
As the Advocate General observed in point 94 of his Opinion, that case-law can be fully transposed to the situation in which the information to be provided to the data subject under the right of access guaranteed by Article 15(1)(h) of the GDPR is likely to result in an infringement of the rights and freedoms of others, in particular in so far as it contains personal data of third parties protected by that regulation or trade secrets, within the meaning of point 1 of Article 2 of Directive 2016/943. In that case too, that information must be disclosed to the competent supervisory authority or court, which must balance the rights and interests at issue with a view to determining the extent of the data subject’s right of access to personal data concerning him or her. |
75 |
Having regard to the need to make that determination on a case-by-case basis, Article 15(1)(h) of the GDPR precludes inter alia the application of a provision such as Paragraph 4(6) of the DSG which excludes, as a rule, the data subject’s right of access, provided for in Article 15 of the GDPR, where such access would compromise a business or trade secret of the controller or of a third party. In that regard, it should be borne in mind that a Member State cannot definitively prescribe the result of a case-by-case balancing of the rights and interests at issue imposed by EU law (see, to that effect, judgment of 7 December 2023, SCHUFA Holding and Others (Scoring), C‑634/21, EU:C:2023:957, paragraph 70 and the case-law cited). |
76 |
In the light of all of the foregoing, the answer to Question 3(b) and (c), Question 4(a) and (b), and Questions 5 and 6 is that Article 15(1)(h) of the GDPR must be interpreted as meaning that, where the controller takes the view that the information to be provided to the data subject in accordance with that provision contains data of third parties protected by that regulation or trade secrets, within the meaning of point 1 of Article 2 of Directive 2016/943, that controller is required to provide the allegedly protected information to the competent supervisory authority or court, which must balance the rights and interests at issue with a view to determining the extent of the data subject’s right of access provided for in Article 15 of the GDPR. |
Costs
77 |
Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the referring court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable. |
On those grounds, the Court (First Chamber) hereby rules: |
|
|
[Signatures] |
( *1 ) Language of the case: German.