ECJ (Case C‑203/22): Meaningful information on the logic of AEE and profiling

David Vasella

16.03.2025

The ECJ has ruled with Judgment of February 27, 2025 (Case C‑203/22 in the case of CK v. Magistrat der Stadt Wien) specifies what information a controller must provide to a data subject within the scope of the right of access under Art. 15 (1) (h) GDPR regarding the “logic involved” in automated decision-making and profiling must provide. As a result, the controller must provide all information that enables the data subject to understand the data,

which personal data are processed in the context of automated decision-making
in which way they were used.

A complex mathematical formula (e.g. an algorithm) is just as insufficient as a detailed description of each step of automated decision-making.

This judgment directly concerns the right to information in connection with Automated decisions in individual cases. It has an indirect effect on the right to information as a whole, because its significance as a prior right is strengthened: It serves the exercise of further rights, which is why it must enable this exercise. This tends to lead to a broad interpretation of the right to information.

The specific case concerned the refusal of a mobile phone contract due to an automated credit check. Dun & Bradstreet Austria had failed to provide meaningful information about the logic involved in the credit check despite being requested to do so by the Austrian data protection authority. The Austrian Federal Administrative Court came to the following conclusion:

19 By decision of October 23, 2019 […], the Federal Administrative Court found that D & B had violated Article 15(1)(h) GDPR by failing to provide CK with meaningful information about the logic involved in the automated decision-making based on CK’s personal data or at least by failing to provide sufficient justification as to why it was unable to provide such information.

20 In its decision, the Federal Administrative Court stated in particular that D & B’s explanations had not been sufficient to put CK in its position, understand how the probability of their future behavior (“score”) is predicted. had been determined. This score had been communicated to CK by D & B with the indication that for its determination certain socio-demographic data from CK “weighted equally among themselves” had been made.

The ECJ states the following:

The “meaningful information about the logic involved” in automated decision-making includes all of the following Relevant information on the procedure and principles automated processing:

50 […] the interpretation […] that “meaningful information about the logic involved” in automated decision-making within the meaning of this provision all relevant information on the method and principles of automated processing of personal data to achieve a specific result and that this information must also be provided in a precise, transparent, comprehensible and easily accessible form due to the transparency requirement.
The information must enable the data subject to Effective exercise to exercise their rights under Art. 22 (3) GDPR (to express their point of view and to contest the decision):

53 As regards the specific right of access provided for in Art. 15 GDPR, according to the case law of the Court of Justice, it must enable the data subject to checkwhether data concerning them right are and whether they processed in a permissible manner become […].
[…]
55 In particular, in the specific context of the adoption of a decision based solely on automated processing, the main purpose of the data subject’s right […] is to enable him or her to effectively exercise the rights to which he or she is entitled under Article 22(3) GDPR, namely that of right to state their own position and the right to challenge the decision.
[…]
58 […] it follows that the right to “meaningful information about the logic involved” in automated decision-making within the meaning of this provision is to be regarded as a right. Right to an explanation of the procedure and principles is to be understood as the automated processing of the data subject’s personal data in order to arrive at a certain result – such as a creditworthiness profile – on the basis of this data. […]
Neither the mere transmission of a complex mathematical formula (such as a Algorithm) nor the Detailed description of each step of automated decision-making meet these requirements. Rather, the data subject must be able to understand, which personal data in the context of automated decision-making in which way used were:

59 Neither the mere transmission of a complex mathematical formula (such as a Algorithm), the detailed description of each step of automated decision-making meet these requirements, as neither is a sufficiently precise and comprehensible explanation.
[…]
61 The “meaningful information about the logic involved” in automated decision-making […] must therefore describe the process and the principles that are specifically applied in such a way that the data subject can can understand which of their personal data has been used in the context of the automated decision-making in question and in what waywithout the complexity of the steps to be taken in the context of automated decision-making releasing the controller from his obligation to provide explanations.

62 As regards, specifically, profiling such as that at issue in the main proceedings, the referring court could, in particular, consider it sufficiently transparent and comprehensible to inform the data subject, the extent to which a deviation in the personal data taken into account would lead to a different result. would have led.
If information Business secrets or personal data of third parties these may have to be transmitted to the supervisory authority or the competent court who must weigh up the opposing rights and interests:

73 […] a national court […] may consider that personal data must be transmitted to it by parties or third parties in order to enable it […] to weigh up the interests involved. That assessment may, where appropriate, lead it to authorize the disclosure to the other party of all or part of the personal data thus transmitted to it […].
National provisions, such as Section 4 (6) DSG-AT in this case, which Exclude the right to information across the boardif the information would jeopardize a business or trade secret, are not compatible with Art. 15 GDPR compatible. A blanket restriction is inadmissible because the consideration must be made on a case-by-case basis:

75 With regard to the need to determine this on a case-by-case basis, Article 15(1)(h) GDPR in particular precludes the application of a provision such as Section 4(6) FADP, which in principle excludes the data subject’s right to information provided for in Article 15 GDPR if the information would jeopardize a business or trade secret of the controller or a third party. A Member State cannot conclusively prescribe the result of a balancing of the opposing rights and interests to be carried out on a case-by-case basis as prescribed by Union law (cf. in this sense Judgment of December 7, 2023, SCHUFA Holding and Others [Scoring], C‑634/21, EU:C:2023:957, para. 70 and the case law cited therein).

ECJ (Case C‑203/22): Meaningful infor­ma­ti­on on the logic of AEE and profiling

Content

ECJ (Case C‑203/22): Meaningful information on the logic of AEE and profiling