Introduction

On 27 February 2025, the Court of Justice of the European Union (CJEU) delivered a landmark judgment in the case of CK v Dun & Bradstreet Austria GmbH (Case C 203/22).

The dispute arose when CK, an Austrian citizen, was subjected to an automated creditworthiness assessment conducted by Dun & Bradstreet Austria GmbH. This assessment, which lacked any manual oversight, concluded that CK had insufficient credit standing. As a result, a mobile telephone operator refused to conclude or extend a mobile phone contract with her. CK challenged this decision, seeking to understand the rationale behind the automated assessment and requesting access to the underlying logic of the decision-making process as outlined in Article 15(1)(h) of the GDPR.

Legal Questions Addressed

The CJEU was tasked with interpreting the GDPR, particularly focusing on the following issues:

1. Transparency Obligations under Article 15(1)(h) GDPR: Does the right to access information about automated decision-making processes include a detailed explanation of the logic involved?
2. Balancing Trade Secret Protection (Directive 2016/943) and GDPR Rights: How can organizations reconcile their obligations to protect trade secrets with the requirement to provide meaningful information about automated decisions?
3. Scope of Automated Decisions under Article 22 GDPR: Does the absence of human involvement in the credit assessment heighten the transparency obligations?

Key Findings of the Court

The CJEU ruled that organizations must provide data subjects with sufficient information to enable them to understand the rationale behind automated decisions affecting them. The judgment emphasized the following points:

1. Enhanced Transparency: Organizations are required to go beyond mere technical descriptions and provide practical explanations that allow individuals to understand why a specific decision was made.
2. No Absolute Protection for Trade Secrets: While the protection of trade secrets is acknowledged under Directive 2016/943, it does not supersede the fundamental rights of individuals under the GDPR. The decision highlights that organizations must balance the two interests and prioritize data subject rights when significant impacts occur.
3. Absence of Human Oversight: The case underlined that where decisions are entirely automated, the obligation to ensure meaningful information is even more critical. The lack of manual oversight made it crucial for the data controller to clearly explain the algorithmic logic applied.

Practical Implications for Organizations

The judgment sets clear expectations for organizations that utilize automated decision-making processes. To comply with this ruling, businesses should consider the following steps:

• Review Automated Decision-Making Policies: Ensure that existing policies align with the latest interpretation of transparency obligations under the GDPR.
• Develop Comprehensive Explanations: Draft accessible and clear descriptions of the logic behind automated decisions, avoiding overly technical or vague explanations.
• Assess Trade Secret Protections: Evaluate whether the information disclosed genuinely compromises trade secrets or if it is necessary to fulfil transparency obligations.
• Implement Human Oversight Where Possible: Even in predominantly automated processes, incorporating human checks can mitigate risks related to non-compliance.
• Train Data Handling Teams: Equip staff with the knowledge and resources to handle data subject requests efficiently, focusing on clarity and accuracy.

QUESTIONS? 

For further assistance or to discuss how this ruling may impact your business, please contact Benjamin Ross, our Global Head of Privacy & Cybersecurity.