European Court rules that a data subject is entitled to an explanation as to how the decision was taken in respect of him or her

European Court rules that a data subject is entitled to an explanation as to how the decision was taken in respect of him or her

27 February 2025

According to a judgement delivered on 27 February 2025 by the European Court of Justice, a data subject is entitled to an explanation as to how the decision was taken in respect of him or her, and that the explanation provided must enable the data subject to understand and challenge the automated decision.

The case refers to a mobile telephone operator in Austria that refused to allow a customer to conclude a contract on the ground that her credit standing was insufficient. The operator relied in that regard on an assessment of the customer’s credit standing carried out by automated means by Dun & Bradstreet Austria, an undertaking specialising in the provision of such assessments. The contract would have involved a monthly payment of €10.

In the ensuing dispute, an Austrian court found, by final decision, that Dun & Bradstreet had infringed the General Data Protection Regulation (GDPR) [Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)].

The ruling states that Dun & Bradstreet had failed to provide the customer with ‘meaningful information about the logic involved’ in the automated decision-making in question. At the very least, the undertaking had failed to give a sufficient statement of reasons as to why it was unable to provide that information.

The court before which the customer brought the matter for the purposes of the enforcement of that judicial decision wonders what Dun & Bradstreet must do in practice in that regard. That court therefore referred the matter to the Court of Justice, seeking guidance on the interpretation of the GDPR and the directive on the protection of trade secrets [Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure].

According to the Court, the controller must describe the procedure and principles actually applied in such a way that the data subject can understand which of his or her personal data have been used in the automated decision-making.

In its ruling, the Court determined that:

  1. Article 15(1)(h) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

must be interpreted as meaning that, in the case of automated decision-making, including profiling, within the meaning of Article 22(1) of that regulation, the data subject may require the controller, as ‘meaningful information about the logic involved’, to explain, by means of relevant information and in a concise, transparent, intelligible and easily accessible form, the procedure and principles actually applied in order to use, by automated means, the personal data concerning that person with a view to obtaining a specific result, such as a credit profile.

  1. Article 15(1)(h) of Regulation 2016/679

must be interpreted as meaning that, where the controller takes the view that the information to be provided to the data subject in accordance with that provision contains data of third parties protected by that regulation or trade secrets, within the meaning of point 1 of Article 2 of Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure, that controller is required to provide the allegedly protected information to the competent supervisory authority or court, which must balance the rights and interests at issue with a view to determining the extent of the data subject’s right of access provided for in Article 15 of that regulation.

Read more here.

Skip to content