Youtube icon Spotify icon Facebook icon Instagram icon LinkedIn icon
Logo gray

CJEU defined the data to be disclosed in automated processes

In February 2025, the Court of Justice of the European Union (CJEU) delivered its judgment in case C-203/22 (‘CK v Dun & Bradstreet’). In the decision, CJEU clarified that on the basis of the General Data Protection Regulation (GDPR), in cases where automated decision-making (including profiling) is involved what kinds of data should be provided to the data subject and how the data controller should provide this data.

The antecedent of the decision was a dispute between a natural person (‘data subject’) and Dun & Bradstreet Austria GmbH that is a credit rating agency (‘D&B’ or ‘data controller’) where the automated assessment carried out by D&B classified the natural person as financially uncreditworthy, based on which a mobile phone operator refused to conclude a contract with her. The data subject requested D&B to provide meaningful information about the logic involved in the profiling based on her personal data. Since D&B did not provide the requested details of the algorithm used in profiling in a concise and intelligible manner, invoking rules of Austrian and EU law according to which right of access could be restricted to protect trade secret, the data subject brought an action against D&B before the Austrian court. After a lengthy litigation, the Austrian court asked for a preliminary ruling from the CJEU to decide that in case of an automated assessment (profiling), to what extent shall a data controller provide information about the details of its algorithms/processes - that are trade secrets - to the data subject.

In its decision, the CJEU clarified that in case of an automated decision-making process, at the request of the data subject he/she must be given access to the procedure and principles of the assessment carried out for a specific result (e.g. profiling) in which his/her personal data was used. This transmission of data shall be fulfilled in a concise and intelligible manner; the explanation provided by the data controller should enable the data subject to understand and challenge the automated decision (merely transmitting an algorithm does not constitute a sufficiently concise and understandable explanation). The CJEU pointed out that if the data controller considers the requested data about its processes and principles as trade secrets or third-party data, it must disclose it to the competent authority/court, which must then decide on a case-by-case basis which information and details the data subject is entitled to access to.

The Court further stated that in such issues, national courts cannot decide solely based on national law, but always following the EU law. In particular, where national law defines the existence of certain rights as general restrictions on the right of access, this shall not be applied automatically by the national authority, but in each case, it shall be assessed individually whether the limitation of the right of access respects the fundamental rights and freedoms of the data subject and is necessary and proportionate.