The CJEU has issued its ruling in C-203/22 CK v Dun & Bradstreet Austria GmbH and Magistrat der Stadt Wien.
A mobile telephone operator refused to allow a customer to enter into a contract because her credit standing was insufficient. The operator relied on an assessment of the customer’s credit standing carried out by automated means by Dun & Bradstreet Austria, which provides credit ratings. The contract would have involved a monthly payment of €10.
The case came to court and the court found that D&B had infringed the GDPR. It said that D&B had failed to provide the customer with ‘meaningful information about the logic involved’ in the automated decision-making in question. At the very least, D&B had failed to give a sufficient statement of reasons as to why it was unable to provide that information.
The Austrian courts referred the issue to the CJEU to find out exactly what D&B needed to do in practice. It sought guidance on the interpretation of the GDPR and the Directive on the protection of trade secrets.
GDPR
The CJEU said that the data controller must describe the procedure and principles applied so that the data subject can understand which personal information has been used, and how they have been used, in the automated decision-making. To meet the requirements of transparency and intelligibility, it could be appropriate to inform the data subject of the extent to which a variation in the personal data considered would have led to a different result. By contrast, the mere communication of an algorithm does not constitute a sufficiently concise and intelligible explanation. The explanation provided must enable the data subject to understand and challenge the automated decision.
Trade secrets
Where the controller believes that the information to be provided contains protected data of third parties or trade secrets, the controller must provide that allegedly protected information to the competent supervisory authority or court. It is for that authority or court to balance the rights and interests at issue with a view to determining the extent of the data subject’s right of access to that information. The Court said that the GDPR precludes the application of a national provision which excludes, as a rule, the right of access in question where it would compromise a trade secret of the controller or of a third party.
