ECJ Judgement on „Credit Scoring“ – Scope of the Right of Access and Illegality of Section 4 (6) of the DSG under EU Law

The recent ruling of the European Court of Justice (ECJ) of 27 February 2025 (C-203/22 – Dun & Bradstreet Austria GmbH) clarifies that data subjects have a comprehensive right to information pursuant to Art. 15 para. 1 lit. h GDPR, in particular with regard to automated decision-making in connection with creditworthiness scoring procedures. In this context, the ECJ also ruled on the applicability of the provision in Section 4 (6) of the DSG (Austrian Data Protection Act).

 Scope of the Provision of Information within the Meaning of Art. 15 para. 1 lit. h GDPR

The starting point of the legal proceedings was a complaint by a data subject against the processing of their personal data by the credit agency named in the judgement. The data subject was of the opinion that the agency had provided insufficient information about the processing of their data. Although general information about the data processing was provided, the exact origin of the data and the specific composition and calculation logic of the score value were not disclosed. The Austrian data protection authority referred the case to the Vienna Administrative Court, which ultimately referred several questions on the scope of the right of access and the definition of personal data in connection with scoring procedures to the ECJ for a preliminary ruling.

In particular, the ECJ ruling now means that data subjects are entitled to specific, transparent and comprehensible explanations of the procedures and principles used to calculate their credit profile in connection with the obligation to provide information in the case of automated decisions (Art. 15 para. 1 lit. h GDPR in conjunction with Art. 22 para. 1 GDPR).

In its ruling, the ECJ states that „[…] the data subject may require the controller, as ‘meaningful information about the logic involved’, to explain, by means of relevant information and in a concise, transparent, intelligible and easily accessible form, the procedure and principles actually applied in order to use, by automated means, the personal data concerning that person with a view to obtaining a specific result, such as a credit profile“ (see ECJ 27 February 2025, C-203/22 para. 66).

Furthermore, abstract explanations and general principles are not sufficient. Neither the mere indication of complex mathematical formulas nor the detailed description of each step of automated decision-making is sufficient. Rather, an individual reference is required – the information must relate to the specific individual case, including the possible effects of data variances (ECJ 27 February 2025, C-203/22 para. 59-62).

To what Extent does Section 4 (6) of the DSG (Austrian Data Protection Act) Play a Role Here?

Section 4 (6) of the DSG stipulates that „the right of access of the data subject pursuant to Art. 15 GDPR […] vis-à-vis a controller shall, notwithstanding other legal restrictions, generally not [exist] if the provision of such information would jeopardise a business or trade secret of the controller or a third party.“

This provision leads to the assumption that the right of access of data subjects in Austria is generally restricted if the business secrets of a controller are to be protected. Accordingly, Dun & Bradstreet Austria GmbH asserted in the proceedings that certain information, in particular the calculation logic and the exact data sources of the credit score, constituted business secrets or trade secrets and that disclosure of this information would jeopardise its economic interests.

However, the ECJ has clarified in this regard that although the threat to a business or trade secret may as a legitimate interest generally play a role, it does not in principle exclude the right of access for data subjects provided for in Art. 15 GDPR.

Rather, Art. 15 para. 1 lit. h GDPR is to be interpreted in the sense that in the above-mentioned cases, „the controller is required to provide the allegedly protected information to the competent supervisory authority or court, which must balance the rights and interests at issue with a view to determining the extent of the data subject’s right of access“ (see ECJ 27 February 2025, C-203/22 para. 75,76).

The Austrian provision of Section 4 (6) of the DSG was therefore deemed to be contrary to EU law by the ECJ.

The Austrian data protection authority has already responded to the decision of the ECJ with a circular letter to the WKO (professional association for financial service providers) in fulfilment of their task pursuant to Art. 57 para. 1 lit. d GDPR (promote the awareness of controllers and processors of their obligations).

Conclusion and Outlook

In view of this decision, a high standard is likely to be generally assumed in Europe in future with regard to the scope of the right of access pursuant to Art. 15 para. 1 lit. h GDPR. When data subjects request information, it is advisable for the controller to provide a description of the specific and actually applied procedures used and to explain which specific personal data is processed in the context of automated decision-making and how.

Austrian controllers in particular can no longer – as was previously the case – invoke Section 4 (6) of the DSG. This provision is still formally contained in the Austrian Data Protection Act and in force. However, Austrian authorities and courts must no longer apply this provision, which is contrary to Union law, due to the uniform interpretation and primacy of EU law. This means that jeopardising a trade secret no longer means per se that the data subject has no right of access.

Overall, it can be observed that it is not uncommon for national data protection standards to be contrary to EU law. In Austria, for example, it has already been decided with regard to Section 12 and 13 of the DSG (special regulations on image processing) that these are not compatible with the GDPR and are not applicable because there is no corresponding opening clause (see, i.a., Data Protection Authority (dsb Republic of Austria) Newsletter 1/2020 and the decision or ruling of the Austrian Federal Administrative Court (BVwG) here and here.

The ECJ has also already dealt with the applicability of national employee data protection law in Germany. We last reported on this here.