With its judgment of February 27, 2025, in Case C‑203/22 (Dun & Bradstreet), the ECJ ruled on so‑called scoring. Data controllers who subject individuals to automated decision‑making pursuant to Article 22 of the GDPR must, in the context of the individuals’ right of access, provide detailed information on the data and formulas.
Background
A mobile phone provider refused to conclude a contract with a data subject because their credit rating was insufficient. For this assessment, the mobile phone provider had used an automated credit assessment from Dun & Bradstreet Austria GmbH. The data subject then requested meaningful information about the “logic involved” in the automated decision-making process in order to be able to understand and, if necessary, correct the basis for the calculation, in accordance with his right to information under Article 15 (1) (h) of the GDPR. Dun & Bradstreet invoked the protection of business secrets and refused to provide comprehensive disclosure, only providing limited information. The Austrian data protection authority ordered Dun & Bradstreet to provide meaningful information about the logic involved. The Austrian Federal Administrative Court initially confirmed the data protection supervisory authority's view, but since Dun & Bradstreet did not provide any further information in the course of the enforcement, the data subject brought an action against the enforcement authority's decision before the Administrative Court in Vienna. The administrative court referred the question to the ECJ as to which substantive requirements must be met by information under Article 15 (1) (h) GDPR and how detailed the information must be provided. In particular, the administrative court wanted to know how the relationship between the right of access and the protection of trade secrets is to be assessed.
The decision of the ECJ
The ECJ ruled that the information to be provided under Article 15 (1) (h) of the GDPR must be such that data subjects can use it to understand which of their personal data was specifically used to obtain a particular result. It is not sufficient to provide complex calculation formulas that prevent data subjects from understanding the decision-making process due to their complexity. Rather, it is necessary to determine in each individual case what specific information will create the desired transparency for the data subject. Furthermore, controllers must bear in mind that invoking business confidentiality does not exempt them from this obligation: in case of doubt, the controller must provide the relevant information to the court or supervisory authority, which in turn will assess whether and which information is to be provided to the data subject.
Practical recommendations
The ECJ ruling has significant practical implications. It not only affects credit scoring and similar scoring procedures, but also requires an adjustment of processes for data access. On the one hand, controllers should check whether the use of scoring and other automated decision-making is sufficiently reflected in the access process and tailored to the individual case. Furthermore, all data processing that may affect trade secrets and similarly critical information must be checked to see whether the ECJ's requirements with regard to providing information can be met.
