Automated credit assessment: The data subject is entitled to an explanation as to how the decision was taken in respect of him or her

In its Judgment (27.2.2025) in Case C-203/22 (Dun & Bradstreet Austria) as regards the automated credit assessment, the Court of Justice ruled that the data subject is entitled to an explanation as to how the decision was taken in respect of him or her. The explanation provided must enable the data subject to understand and challenge the automated decision.

In Austria, a mobile telephone operator refused to allow a customer to conclude a contract on the ground that her credit standing was insufficient. The operator relied in that regard on an assessment of the customer’s credit standing carried out by automated means by Dun & Bradstreet Austria, an undertaking specialising in the provision of such assessments. The contract would have involved a monthly payment of €10.

In the ensuing dispute, an Austrian court found, by final decision, that Dun & Bradstreet had infringed the General Data Protection Regulation (GDPR). [1]. Dun & Bradstreet had failed to provide the customer with ‘meaningful information about the logic involved’ in the automated decision-making in question. At the very least, the undertaking had failed to give a sufficient statement of reasons as to why it was unable to provide that information.

The court before which the customer brought the matter for the purposes of the enforcement of that judicial decision wonders what Dun & Bradstreet must do in practice in that regard. That court therefore referred the matter to the Court of Justice, seeking guidance on the interpretation of the GDPR and the directive on the protection of trade secrets. [2].

READ AS WELL: Obligation of a creditor to check a consumer’s creditworthiness - Credit agreement void and creditor’s entitlement to payment of the agreed interest forfeited / Article by George Kazoleas, Lawyer

According to the Court, the controller must describe the procedure and principles actually applied in such a way that the data subject can understand which of his or her personal data have been used, and how they have been used, in the automated decision-making.

In order to meet the requirements of transparency and intelligibility, it could in particular be appropriate to inform the data subject of the extent to which a variation in the personal data taken into account would have led to a different result. By contrast, the mere communication of an algorithm does not constitute a sufficiently concise and intelligible explanation.

Where the controller takes the view that the information to be provided contains protected data of third parties or trade secrets, the controller must provide that allegedly protected information to the competent supervisory authority or court. It is for that authority or court to balance the rights and interests at issue with a view to determining the extent of the data subject’s right of access to that information.

The Court states in that regard that the GDPR precludes the application of a national provision which excludes, as a rule, the right of access in question where it would compromise a trade secret of the controller or of a third party. (curia.europa.eu/photo freepik.com)

Read the Decision here

_________________

1 Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

2 Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure.

Comments

Post a Comment

Popular posts from this blog

Ombudsman inquiry on Commission President’s text messages is a wake-up call for EU

Image
The European Ombudsman inquiry into the Commission’s handling of a request for text messages between its President and the CEO of a pharmaceutical company is a wake-up call for all EU institutions about ensuring accountability in an era of instant messaging. One year after the initial request by a journalist, the Commission has still not clarified whether messages reported to concern major vaccine procurement deals exist and whether the public is entitled to see them. The Ombudsman had asked the Commission, in a finding of maladministration in January, to conduct a more thorough search for the text messages. The Commission’s recent response failed to say whether it had looked directly and correctly for the text messages and if not, why not. While the response recognised that work-related text messages can be EU documents, it reiterated that the Commission’s internal policy is, in effect, not to register text messages. The Ombudsman has closed  the inquiry  and upheld...
Read more

Prohibiting contact between children and their mother in custody and contact rights case was unjustified (ECtHR)

Image
The case of X and Others v. Slovenia (application nos. 27746/22 and 28291/22) concerned custody decisions and contact rights following the separation of X from her children’s father in 2018. It also concerned the reassignment of X’s court case to a particular judge.  In Chamber's judgment in the case, the European Court of Human Rights held, unanimously, that there had been a violation of Article 6 § 1 (right to a fair trial) of the European Convention on Human Rights, as regards X’s right to a tribunal established by law, and violations of Article 8 (right to respect for private and family life) with respect both to:  - the applicant children, as regards the order to remove them from X’s (their mother’s) care in March 2020, their not being represented in the contact and custody proceedings, and their not being allowed contact with their mother;  - X, for not being allowed contact with her children.  The Court found in particular that the President of the District Co...
Read more

Air passenger rights: A boarding pass may be sufficient to prove a confirmed reservation on a flight

Image
According to the Judgment of the European Court of Justice in Case C-20/24, a boarding pass may be sufficient to prove a confirmed reservation on a flight. Payment by a third party of the price of the package tour, including a flight, does not exclude the right to compensation in the event of long delay of a flight.  An air carrier offering charter flights concluded a contract with a tour operator. Under that contract, the carrier operated, on specific dates, flights for which that tour operator, after paying for the flights, sold tickets to air passengers. Two air passengers participated in a package tour, including a flight from Tenerife to Warsaw, the arrival of which was delayed by more than 22 hours. The contract relating to the package tour was concluded between a third company, on behalf of those passengers, and that tour operator. The passengers concerned claimed compensation from the air carrier under EU law. [1]  The latter refused to pay that compensation. It argued...
Read more

The Swiss authorities failed in their positive obligation to protect the life of a woman from violence by her partner (ECtHR)

Image
In the case of N.D. v. Switzerland, the European Court of Human Rights held that there had been a violation of the right to life in a case involving violence against a woman by her partner. The applicant, who had been unaware of her partner’s criminal record, was kidnapped by him from her home after informing him that she wished to end their relationship. She was then falsely imprisoned over an 11-hour period and subjected to rape and ill-treatment. To this day, the applicant suffers from the psychological after-effects of the treatment inflicted on her. The Court found that the authorities had not done all that could reasonably have been expected of them to avert the real and immediate risk to the applicant’s life, of which they had been or ought to have been aware. It noted that there had been neither an adequate assessment of the risk to the applicant’s life nor operational measures which might have had a real chance of altering the course of events or mitigating the da...
Read more

GDPR and transgender identity: the rectification of data relating to gender identity cannot be made conditional upon proof of surgery (CJEU)

Image
In its Judgment in Case C-247/23 |[Deldits] [1] the European Court of Justice ruled that the rectification of data relating to gender identity cannot be made conditional upon proof of surgery. In 2014, VP, an Iranian national, obtained refugee status in Hungary by relying on their transgender identity and producing medical certificates drawn up by specialists in psychiatry and gynaecology.  According to those certificates, although that person was born female, their gender identity was male. Following the recognition of their refugee status on that basis, that person was nevertheless registered as female in the asylum register, which is kept by the Hungarian asylum authority and contains identification data, including gender, of the persons who have obtained that status in Hungary.  In 2022, on the basis of the abovementioned medical certificates, VP requested, inter alia, that the asylum authority rectify the entry in respect of their gender in that register, on the basis of ...
Read more