Automated credit assessment: The data subject is entitled to an explanation as to how the decision was taken in respect of him or her
In its Judgment (27.2.2025) in Case C-203/22 (Dun & Bradstreet Austria) as regards the automated credit assessment, the Court of Justice ruled that the data subject is entitled to an explanation as to how the decision was taken in respect of him or her. The explanation provided must enable the data subject to understand and challenge the automated decision.
In Austria, a mobile telephone operator refused to allow a customer to conclude a contract on the ground that her credit standing was insufficient. The operator relied in that regard on an assessment of the customer’s credit standing carried out by automated means by Dun & Bradstreet Austria, an undertaking specialising in the provision of such assessments. The contract would have involved a monthly payment of €10.In the ensuing dispute, an Austrian court found, by final decision, that Dun & Bradstreet had infringed the General Data Protection Regulation (GDPR). [1]. Dun & Bradstreet had failed to provide the customer with ‘meaningful information about the logic involved’ in the automated decision-making in question. At the very least, the undertaking had failed to give a sufficient statement of reasons as to why it was unable to provide that information.
The court before which the customer brought the matter for the purposes of the enforcement of that judicial decision wonders what Dun & Bradstreet must do in practice in that regard. That court therefore referred the matter to the Court of Justice, seeking guidance on the interpretation of the GDPR and the directive on the protection of trade secrets. [2].
According to the Court, the controller must describe the procedure and principles actually applied in such a way that the data subject can understand which of his or her personal data have been used, and how they have been used, in the automated decision-making.
In order to meet the requirements of transparency and intelligibility, it could in particular be appropriate to inform the data subject of the extent to which a variation in the personal data taken into account would have led to a different result. By contrast, the mere communication of an algorithm does not constitute a sufficiently concise and intelligible explanation.
Where the controller takes the view that the information to be provided contains protected data of third parties or trade secrets, the controller must provide that allegedly protected information to the competent supervisory authority or court. It is for that authority or court to balance the rights and interests at issue with a view to determining the extent of the data subject’s right of access to that information.
The Court states in that regard that the GDPR precludes the application of a national provision which excludes, as a rule, the right of access in question where it would compromise a trade secret of the controller or of a third party. (curia.europa.eu/photo freepik.com)
_________________
1 Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
2 Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure.
Comments
Post a Comment