The Court of Justice of the European Union (CJEU), in a judgment handed down on Thursday 27 February (Case C-203/22), found that a person affected by an automated credit assessment is entitled to an explanation as to how the decision was taken regarding him or her.
The case in the main proceedings concerned an Austrian telephone operator that refused a contract to a customer on the basis of an automated credit assessment carried out by Dun & Bradstreet Austria.
Challenging this refusal, the customer took her case to the Austrian courts, which acknowledged that the company had breached the General Data Protection Regulation (GDPR) by failing to provide a clear explanation of the logic behind this assessment.
As part of this decision’s enforcement, the Austrian court asked the CJEU about the scope of the customer’s right of access. The Court specified that the explanation provided should enable the data subject to understand how his or her data had been used and to assess the impact of variations in the data on the final decision. Simply communicating an algorithm is not enough.
The Court also pointed out that if certain information is protected as a business secret, it must be communicated to the competent authorities in order to determine the scope of the data subject’s right of access. In addition, the CJEU emphasised that the GDPR did not allow national legislation to systematically exclude this right of access in the name of protecting trade secrets.
See the Court’s judgment: https://aeur.eu/f/fow (Original version in French by Bernard Denuit)