Another Court of Justice of the European Union (CJEU) decision on the fine print of handling automated decision-making in credit scoring was handed down recently (C-203/22)(1). This case originated from Austria and involved an individual person (CK) proceeding against the Magistrat der Stadt Wien (City Council of Vienna – City Council), with further involvement of Dun & Bradstreet Austria.

An individual in Austria wanted to extend her mobile phone contact, requiring monthly payments of €10. The operator refused the extension based on an insufficient credit rating. The automated credit assessment of CK was obtained from Dun & Bradstreet Austria (D&B), formerly Bisnode Austria, a company specialising in the provision of credit assessments. CK demanded information on the logic involved, based on her Art 5(1)(h) and 22(3) GDPR rights, in order to be able to understand and, if necessary, correct the basis for the calculation. D&B provided only limited information and relied on the protection of trade secrets for its refusal of the remaining information. When CK brought this matter to the Austrian Data Protection Authority, D&B was ordered to disclose to CK meaningful information about the logic involved in the automated decision-making based on personal data of CK. This order was challenged by D&B before the Federal Administrative Court Austria on the basis that any disclosure, in excess of what it had already provided to CK, would lead it to reveal trade secrets.