In its ruling of February 27, 2025, the European Court of Justice (ECJ) made an important decision on the right of access pursuant to Art. 15 para. 1 lit. h GDPR. The ruling (Case C-203/22) clarifies the requirements for the transparency of automated decision-making and sets standards for the protection of personal data against commercial confidentiality interests.
Dispute over duty to provide information in the case of automated credit checks
The decision was based on a referral from the Vienna Administrative Court. The plaintiff CK, a natural person, was rejected by a mobile phone provider on the basis of an automated credit assessment. The assessment was carried out by Dun & Bradstreet Austria GmbH (D & B), a company specializing in credit assessments. CK then demanded access to the relevant criteria and calculation bases of this assessment in order to understand the basis for the decision and correct it if necessary.
D & B refused to disclose the underlying logic on the grounds that it was a matter of protected business secrets. CK then turned to the Austrian data protection authority, which requested that D & B provide meaningful information about the automated decision-making process. D & B lodged an appeal against this decision with the Federal Administrative Court, which confirmed the obligation to provide information.
As D & B remained inactive despite the legally binding decision, CK applied to the Vienna City Council to enforce the judgment. The enforcement authority rejected the application on the grounds that D & B had already fulfilled its duty to provide information. CK then turned again to the Vienna Administrative Court, which referred the case to the ECJ for a preliminary ruling.
ECJ to decide on the limits and scope of the right to information
The Vienna Administrative Court referred several fundamental questions to the ECJ regarding the interpretation of Art. 15 para. 1 lit. h GDPR. The central problem was to determine the limits and scope of the data subject's right to information in relation to automated decision-making processes. The Administrative Court's questions concerned in particular
- Scope of the information obligations: What specific information must controllers provide in order to comply with the requirements of Art. 15 (1) (h) GDPR?
- Consideration of trade secrets: Is disclosure also required if business secrets or personal data of third parties are involved?
- Transparency versus secrecy: How can the tension between the data subject's right to data protection and the protection of companies' economic interests be resolved?
Reading tip: Data minimization and data economy - ECJ overturns obligation to address customers when purchasing tickets online
ECJ: Transparency and comprehensible presentation required
The ECJ has ruled that controllers are obliged to disclose the "logic involved" in automated decision-making processes in a way that is comprehensible to the data subject. This requires a clear description of the calculation methods and algorithms used. In particular, companies must explain:
- Which mathematical methods and models were used to make the decision,
- Which specific input variables were included in the valuation,
- How these factors as a whole led to the specific result.
The mere communication of a credit score or risk rating without further explanation is not sufficient. Rather, a transparent and comprehensible presentation is required to enable the data subject to make a realistic assessment of which criteria have contributed to the automated decision-making process.
Another key aspect of the decision concerns the protection of trade secrets and personal data of third parties. The ECJ clarified that companies may not invoke secrecy across the board in order to refuse to provide information. Rather, a careful balance must be struck between the interests of the person concerned and the economic protection interests of the company. Only in exceptional cases, where there is evidence of serious damage to economic interests, can a restriction of the obligation to provide information be justified.
The ECJ also made it clear that there can be no absolute refusal to provide information. If certain information cannot be disclosed directly for reasons of confidentiality, at least an alternative possibility must be created to guarantee the right of the data subject. For example, disclosure can be made to an independent supervisory authority or a court in order to enable an objective review of the automated decision-making process.
Effects of the ECJ ruling on practice
The ECJ's decision has far-reaching consequences for companies, especially those that rely on automated decision-making processes. Data controllers must now ensure that they meet the increased transparency requirements in order to guarantee legally compliant data processing.
- Extended information obligations
Companies are obliged to explain automated decision-making processes in a detailed and comprehensible manner. This means that data subjects must be able to understand which input variables were used and how these led to a particular decision. A mere reference to an automated evaluation is not sufficient; instead, the way it works must be disclosed in a way that is comprehensible to the data subject. - Complicated invocation of trade secrets
The ECJ has made it clear that companies cannot invoke the protection of trade secrets across the board in order to refuse to disclose information. Instead, it must be examined in each individual case whether trade secrets worthy of protection are actually affected. If this is the case, it must be weighed up against the rights of the person concerned. Courts or supervisory authorities may be called in to decide which information must be disclosed. - Need for new control mechanisms
In future, data protection authorities and courts will play a greater role in balancing transparency obligations and the protection of trade secrets. Companies should therefore be prepared to justify their balancing processes in detail. This may also lead to an increased documentation obligation in order to be able to prove to the supervisory authorities that the disclosure obligations have been fulfilled in accordance with the GDPR. - Effects on contractual relationships
The decision can have far-reaching consequences for companies' contractual partners. Banks, insurance companies and mobile phone providers in particular, which rely on automated credit checks, must ensure that their customers receive a sufficiently clear explanation of the basis for the decision. Otherwise, the conclusion or extension of contracts could be challenged in court due to a lack of transparency. - Adaptation of internal processes and compliance measures
Companies must adapt their internal processes to meet the new requirements. This includes implementing technical and organizational measures for transparent documentation and communication of the evaluation mechanisms.
Conclusion
The ECJ's decision has significantly clarified the right to transparency in automated decision-making. Data subjects now have a clearly defined and enforceable right to information, which enables them to better understand the processing of their personal data and to take legal action if necessary.
For companies, this means that they need to revise their internal processes and mechanisms for automated decision-making. They must provide more comprehensive information and disclose the underlying algorithms and decision-making logic in a comprehensible manner. This requires not only technical adjustments, but also closer cooperation with data protection authorities to ensure that the new requirements are met.
The decision also makes it clear that the protection of trade secrets cannot be used as a blanket argument for refusing to provide information. Rather, companies must carefully weigh up each individual case and, if necessary, find alternative ways to provide relevant information, for example by disclosing it to supervisory authorities or courts.
English 
German 
Italian 
French