Algorithmic Transparency and Personal Data Protection: CJEU Ruling on “Scoring” and Automated Decision-Making

When an algorithm determines your creditworthiness — you have the right to know why. In a recent judgment in the case of Dun and Bradstreet Austria (C-203/22), the Court of Justice of the European Union (“CJEU”) clarified the scope of the right to access information about the logic behind automated decisions. This decision provides important guidance on the interpretation of Article 15(1)(h) of the General Data Protection Regulation (“GDPR”) in the context of automated decision-making, particularly when it comes to credit scoring and similar assessments.

How Did the Question of Algorithmic Transparency Come Before the CJEU?

The dispute arose when an Austrian mobile network operator refused to enter into a contract with an individual, citing a negative credit assessment as the reason. In assessing the individual’s creditworthiness, the operator relied on the services of a specialized credit risk assessment company. The data subject submitted a request to the Austrian Data Protection Authority (“DPA”), seeking access to information about the basis for the negative assessment and the logic of the algorithm used to reach that decision.

The DPA ordered the company to provide the requested information. However, the company appealed the decision to the competent administrative court. The court partially upheld the DPA’s order, finding that the obligation under Article 15(1)(h) GDPR had not been fully met. In the subsequent proceedings, the company claimed that it had already provided the necessary information, while the data subject maintained that access had been incomplete and continued to challenge the outcome before the competent authorities.

Given the complexity of the question regarding what type of information must be disclosed and to what extent, the administrative court sought a preliminary ruling from the CJEU, requesting interpretation of the relevant GDPR provisions — particularly Article 15(1)(h).

CJEU Judgment: When Can Trade Secrets Limit the Right to Information?

The CJEU held that data subjects have the right to receive clear and intelligible information about the logic behind an automated decision. According to the Court, the purpose of this obligation is to enable data subjects to understand the essential elements of the decision-making process — including the methods used, the criteria applied, and how those criteria were evaluated. A balance must be struck between making information accessible and protecting trade secrets, ensuring that explanations are sufficiently clear and substantive, without disclosing technical details of the algorithm that are subject to special protection.

The Court reached the following conclusions:

• the right to information must enable the data subject to understand and verify whether the data underlying the decision is accurate, and whether the decision itself is justified based on that data;
• the right to information is not absolute and may be restricted to protect trade secrets or the rights of third parties, but in such cases, the relevant information must be made available to the competent authorities or courts, which will decide on the appropriate scope of access;
• national laws that automatically exclude access to information in order to protect trade secrets are not compatible with the GDPR, as blanket restrictions without an individual assessment are not allowed.

Among other things, this judgment confirms that the right to “meaningful information about the logic involved” in automated decisions plays a key role in enabling the exercise of other rights under Article 22(3) of the GDPR, such as the right to human intervention, rectification, and contesting the decision.

Transparency and Trust in the Digital Age: The Practical Impact of the CJEU Ruling

The judgment provides clear and binding guidance for companies that rely on algorithms and automated decision-making systems, particularly in areas such as credit scoring, insurance, and employment. Companies are now required to offer users accessible and comprehensible explanations of how automated processes function when such processes significantly affect their lives. Transparency is not only a legal requirement, but also a vital element in building trust and ensuring fair business practices.

At the same time, the decision strengthens individuals’ position by giving them the ability to understand and, when necessary, challenge decisions made without human involvement. This contributes to increased control over personal data in an era of growing digitalization and automation.

The Reach of the CJEU’s Judgment in Serbia: Impact on Practice and Corporate Conduct

Although not formally binding on Serbia, the case law of European courts has a significant influence on the interpretation and application of the national Law on Personal Data Protection. Given the alignment of Serbian legislation with the principles of the GDPR, it is reasonable to expect that, in similar cases, the Commissioner for Information of Public Importance and Personal Data Protection, as well as domestic courts, would follow a similar line of reasoning as the CJEU.

Accordingly, companies operating in Serbia should adapt their practices to strike a balance between the protection of trade secrets and the individual’s right of access to information, thereby further strengthening personal data protection in the digital environment.

 Author:

Sonja Stojčić, Senior Associate
Email: sonja.stojcic@prlegal.rs; legal@prlegal.rs;