Language of document :

Request for a preliminary ruling from the Verwaltungsgericht Wien (Austria) lodged on 16 March 2022 – CK

(Case C-203/22)

Language of the case: German

Referring court

Verwaltungsgericht Wien

Parties to the main proceedings

Applicant: CK

Interested parties: Dun & Bradstreet Austria GmbH., Magistrat der Stadt Wien

Questions referred

What requirements as to content does information provided need to satisfy in order to be regarded as sufficiently ‘meaningful’ within the meaning of Article 15(1)(h) of the General Data Protection Regulation; ‘the GDPR’)? 1

In the case of profiling, must the information essential for making the result of the automated decision transparent in each individual case also be disclosed by the controller – where necessary in compliance with an existing trade secret – as part of the disclosure of the ‘logic involved’ which includes, in particular, (1) the disclosure of the data subject’s processed data, (2) the disclosure of the parts of the algorithm on which the profiling is based that are necessary to provide transparency, and (3) the information relevant to establishing the connection between the processed information and the rating arrived at?

In cases involving profiling, must the party entitled to access for the purpose of Article 15(1)(h) of the GDPR be provided, as a minimum, with the following information on the specific processing concerning him or her, even if a trade secret is involved, in order to enable him or her to protect his or her rights under Article 22(3) of the GDPR:

communication of all potentially pseudo-anonymised information, in particular on the manner in which the data subject’s data is being processed, which allows the data subject to check compliance with the GDPR,

making available the input data used for profiling,

the parameters and input variables used in the determination of the rating,

the influence of these parameters and input variables on the calculated rating,

information on the origin of the parameters or input variables,

an explanation as to why the party entitled to access for the purpose of Article 15(1)(h) of the GDPR has been assigned a specific rating and clarification of the implications of such rating,

listing the profile categories and providing an explanation as to what rating implication is associated with each of the profile categories?

Is the right of access granted by Article 15(1)(h) of the GDPR related to the rights guaranteed by Article 22(3) of the GDPR to express one’s point of view and to challenge an automated decision taken within the meaning of Article 22 of the GDPR in so far as the scope of the information to be provided on the basis of an access request within the meaning of Article 15(1)(h) of the GDPR is only sufficiently ‘meaningful’ if the party requesting access and the data subject for the purpose of Article 15(1)(h) of the GDPR is enabled to exercise the rights guaranteed by Article 22(3) of the GDPR to express his or her own point of view and to challenge the automated decision for the purpose of Article 22 of the GDPR concerning him or her in a real, profound and promising way?

(a) Must Article 15(1)(h) of the GDPR be interpreted as meaning that information constitutes ‘meaningful information’ for the purposes of this provision only if it is so broad that the party entitled to access for the purpose of Article 15(1)(h) of the GDPR is able to determine whether this information is accurate, i.e. whether the automatic decision specifically requested was actually based on the information provided?

(b) If the above question is answered in the affirmative: what is the procedure if the accuracy of the information provided by a controller can only be verified if third-party data protected by the GDPR must also be brought to the attention of the party entitled to access for the purpose of Article 15(1)(h) of the GDPR (black box)?

Can this tension between the right of access within the meaning of Article 15(1) of the GDPR and the data protection rights of third parties also be resolved by disclosing the data of third parties (which have also been subjected to the same profiling process) required for the accuracy check only to the authority or the court for the authority or the court to check independently whether the disclosed data of these third parties is accurate?

(c) If the above question is answered in the affirmative: which rights must be granted to the party entitled to access for the purpose of Article 15(1)(h) of the GDPR in the event that it is necessary to ensure the protection of third party rights within the meaning of Article 15(4) of the GDPR by creating the black box referred to in point (3b)?

Must the data of other persons to be disclosed by the controller for the purpose of Article 15(1) of the GDPR to the party entitled to access for the purpose of Article 15(1)(h) of the GDPR be disclosed in pseudo-anonymised form in order to ensure that the accuracy can be verified?

(a) What is the procedure if the information to be provided in accordance with Article 15(1)(h) of the GDPR also meets the requirements of a trade secret within the meaning of Article 2(1) of the Know-How Directive? 1

Can the tension between the right of access guaranteed by Article 15(1)(h) of the GDPR and the right to non-disclosure of a trade secret protected by the Know-How Directive be resolved by allowing the information to be disclosed as a trade secret within the meaning of Article 2(1) of the Know-How Directive be disclosed to the authority or the court only, so that the authority or the court must independently verify whether it must be assumed that a trade secret within the meaning of Article 2(1) of the Know-How Directive exists and whether the information provided by the controller within the meaning of Article 15(1) of the GDPR is accurate?

(b) If the above question is answered in the affirmative: which rights must be granted to the party entitled to access for the purpose of Article 15(1)(h) of the GDPR in the event that it is necessary to ensure the protection of third party rights within the meaning of Article 15(4) of the GDPR by creating the black box referred to in point (4a)?

In this case of discrepancy between the information to be disclosed to the authority or the court and the information to be disclosed to the person entitled to access within the meaning of Article 15(1)(h) of the GDPR, in cases involving profiling, must the party entitled to access for the purpose of Article 15(1)(h) of the GDPR also be provided, as a minimum, with the following information on the specific processing concerning him or her in order to enable him or her to protect his or her rights under Article 22(3) of the GDPR in their entirety:

communication of all potentially pseudo-anonymised information, in particular on the manner in which the data subject’s data is being processed, which allows the data subject to check compliance with the GDPR,

making available the input data used for profiling,

the parameters and input variables used in the determination of the rating,

the influence of these parameters and input variables on the calculated rating,

information on the origin of the parameters or input variables,

an explanation as to why the party entitled to access for the purpose of Article 15(1)(h) of the GDPR has been assigned a specific rating and clarification of the implications of such rating,

listing the profile categories and providing an explanation as to what rating implication is associated with each of the profile categories?

Does the provision of Article 15(4) of the GDPR in any way limit the scope of the information to be provided pursuant to Article 15(1)(h) of the GDPR?

If this question is answered in the affirmative, is this right of access limited by Article 15(4) of the GDPR, and how is the extent of the limitation to be determined in each individual case?

Is the provision of Article 4(6) of the Law on Data protection, according to which ‘the right of access of the data subject pursuant to Article 15 of the GDPR, as a rule, does not (exist) vis-à-vis the controller if the provision of such information would violate a business or trade secret of the controller or third parties’ compatible with the requirements of Article 15(1) in conjunction with Article 22(3) of the GDPR? If the above question is answered in the affirmative, what are the conditions for such compatibility?

____________

1     Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1).

1     Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure (OJ 2016 L 157, p. 1).